Discussion:
pam_tally2 and tallylog
Phil Beckley
2016-01-23 21:18:47 UTC
Permalink
Hi all,
I've been looking for documentation and in forums, but I'm not having any
luck getting more information on the items in the subject. I have a couple
of questions and please let me know if this isn't the right place to
address these questions.
1. Why is tallylog a binary file? I would love to parse it like a log, but
that seems like a difficult task.
2. Is there a more in-depth description/explanation of how to modify the
pam conf files? I was looking at the PAM SA guide, but was unable to make
sense of a lot of it as I don't have a background in PAM, as a whole.
Thanks for your help.
P
Paul Whitney
2016-01-23 23:06:02 UTC
Permalink
Re #1. Maybe what you are looking for is to parse output of command 'lastb'.
Re #2. There is lots of Google references to PAM.
Paul Whitney
email: ***@mac.com
cell: 410.493.9448
Sent from my iPhone
Post by Phil Beckley
Hi all,
I've been looking for documentation and in forums, but I'm not having any luck getting more information on the items in the subject. I have a couple of questions and please let me know if this isn't the right place to address these questions.
1. Why is tallylog a binary file? I would love to parse it like a log, but that seems like a difficult task.
2. Is there a more in-depth description/explanation of how to modify the pam conf files? I was looking at the PAM SA guide, but was unable to make sense of a lot of it as I don't have a background in PAM, as a whole.
Thanks for your help.
P
_______________________________________________
Pam-list mailing list
https://www.redhat.com/mailman/listinfo/pam-list
Phil Beckley
2016-01-24 16:07:38 UTC
Permalink
Maybe a little background would help here. I'm working on a log watcher (of
sorts) for failed SSH logins, only, I'm looking at registered users
exclusively. Auth.log seems too cumbersome to watch and extract out
registered users if a distributed attack occurs. So, I wanted to use
tallylog to see how many failed attempts have occurred for registered users
and use a script from there to take action. What do you think?
Post by Paul Whitney
Re #1. Maybe what you are looking for is to parse output of command 'lastb'.
Re #2. There is lots of Google references to PAM.
Paul Whitney
cell: 410.493.9448
Sent from my iPhone
Post by Phil Beckley
Hi all,
I've been looking for documentation and in forums, but I'm not having
any luck getting more information on the items in the subject. I have a
couple of questions and please let me know if this isn't the right place to
address these questions.
Post by Phil Beckley
1. Why is tallylog a binary file? I would love to parse it like a log,
but that seems like a difficult task.
Post by Phil Beckley
2. Is there a more in-depth description/explanation of how to modify the
pam conf files? I was looking at the PAM SA guide, but was unable to make
sense of a lot of it as I don't have a background in PAM, as a whole.
Post by Phil Beckley
Thanks for your help.
P
_______________________________________________
Pam-list mailing list
https://www.redhat.com/mailman/listinfo/pam-list
_______________________________________________
Pam-list mailing list
https://www.redhat.com/mailman/listinfo/pam-list
Thorsten Kukuk
2016-01-24 18:01:50 UTC
Permalink
Post by Phil Beckley
Maybe a little background would help here. I'm working on a log watcher (of
sorts) for failed SSH logins, only, I'm looking at registered users
exclusively. Auth.log seems too cumbersome to watch and extract out
registered users if a distributed attack occurs. So, I wanted to use
tallylog to see how many failed attempts have occurred for registered users
and use a script from there to take action. What do you think?
pam_tally2 does not write a log file, this is more or less a database.
If pam_tally2 takes any actions, it logs it via syslog, too. But writing
the database as ascii doesn't make any sense and does not help you.
Either you let pam_tally2 lock the account if too many failed logins
appear, or pam_tally2 is the wrong module for you.
Thorsten
Post by Phil Beckley
Post by Paul Whitney
Re #1. Maybe what you are looking for is to parse output of command 'lastb'.
Re #2. There is lots of Google references to PAM.
Paul Whitney
cell: 410.493.9448
Sent from my iPhone
Post by Phil Beckley
Hi all,
I've been looking for documentation and in forums, but I'm not having
any luck getting more information on the items in the subject. I have a
couple of questions and please let me know if this isn't the right place to
address these questions.
Post by Phil Beckley
1. Why is tallylog a binary file? I would love to parse it like a log,
but that seems like a difficult task.
Post by Phil Beckley
2. Is there a more in-depth description/explanation of how to modify the
pam conf files? I was looking at the PAM SA guide, but was unable to make
sense of a lot of it as I don't have a background in PAM, as a whole.
Post by Phil Beckley
Thanks for your help.
P
_______________________________________________
Pam-list mailing list
https://www.redhat.com/mailman/listinfo/pam-list
_______________________________________________
Pam-list mailing list
https://www.redhat.com/mailman/listinfo/pam-list
_______________________________________________
Pam-list mailing list
https://www.redhat.com/mailman/listinfo/pam-list
--
Thorsten Kukuk, Senior Architect SLES & Common Code Base
SUSE LINUX GmbH, Maxfeldstr. 5, 90409 Nuernberg, Germany
GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg)
Phil Beckley
2016-01-24 19:03:46 UTC
Permalink
Thanks for your response, Thorsten. Can you explain the rationale behind
why tallylog is a binary file?
Post by Thorsten Kukuk
Post by Phil Beckley
Maybe a little background would help here. I'm working on a log watcher
(of
Post by Phil Beckley
sorts) for failed SSH logins, only, I'm looking at registered users
exclusively. Auth.log seems too cumbersome to watch and extract out
registered users if a distributed attack occurs. So, I wanted to use
tallylog to see how many failed attempts have occurred for registered
users
Post by Phil Beckley
and use a script from there to take action. What do you think?
pam_tally2 does not write a log file, this is more or less a database.
If pam_tally2 takes any actions, it logs it via syslog, too. But writing
the database as ascii doesn't make any sense and does not help you.
Either you let pam_tally2 lock the account if too many failed logins
appear, or pam_tally2 is the wrong module for you.
Thorsten
Post by Phil Beckley
Post by Paul Whitney
Re #1. Maybe what you are looking for is to parse output of command 'lastb'.
Re #2. There is lots of Google references to PAM.
Paul Whitney
cell: 410.493.9448
Sent from my iPhone
Post by Phil Beckley
Hi all,
I've been looking for documentation and in forums, but I'm not having
any luck getting more information on the items in the subject. I have a
couple of questions and please let me know if this isn't the right
place to
Post by Phil Beckley
Post by Paul Whitney
address these questions.
Post by Phil Beckley
1. Why is tallylog a binary file? I would love to parse it like a
log,
Post by Phil Beckley
Post by Paul Whitney
but that seems like a difficult task.
Post by Phil Beckley
2. Is there a more in-depth description/explanation of how to modify
the
Post by Phil Beckley
Post by Paul Whitney
pam conf files? I was looking at the PAM SA guide, but was unable to
make
Post by Phil Beckley
Post by Paul Whitney
sense of a lot of it as I don't have a background in PAM, as a whole.
Post by Phil Beckley
Thanks for your help.
P
_______________________________________________
Pam-list mailing list
https://www.redhat.com/mailman/listinfo/pam-list
_______________________________________________
Pam-list mailing list
https://www.redhat.com/mailman/listinfo/pam-list
_______________________________________________
Pam-list mailing list
https://www.redhat.com/mailman/listinfo/pam-list
--
Thorsten Kukuk, Senior Architect SLES & Common Code Base
SUSE LINUX GmbH, Maxfeldstr. 5, 90409 Nuernberg, Germany
GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG
NÃŒrnberg)
_______________________________________________
Pam-list mailing list
https://www.redhat.com/mailman/listinfo/pam-list
Thorsten Kukuk
2016-01-25 05:38:55 UTC
Permalink
Post by Phil Beckley
Thanks for your response, Thorsten. Can you explain the rationale behind
why tallylog is a binary file?
As I wrote: it is a database, not a log file. pam_tally2 stores
there the configuration for each user and the amount of failed
logins.
If you ever tried to implement a database as ASCII file, you can
answer yourself why it is a binary file.
Thorsten
Post by Phil Beckley
Post by Thorsten Kukuk
Post by Phil Beckley
Maybe a little background would help here. I'm working on a log watcher
(of
Post by Phil Beckley
sorts) for failed SSH logins, only, I'm looking at registered users
exclusively. Auth.log seems too cumbersome to watch and extract out
registered users if a distributed attack occurs. So, I wanted to use
tallylog to see how many failed attempts have occurred for registered
users
Post by Phil Beckley
and use a script from there to take action. What do you think?
pam_tally2 does not write a log file, this is more or less a database.
If pam_tally2 takes any actions, it logs it via syslog, too. But writing
the database as ascii doesn't make any sense and does not help you.
Either you let pam_tally2 lock the account if too many failed logins
appear, or pam_tally2 is the wrong module for you.
Thorsten
Post by Phil Beckley
Post by Paul Whitney
Re #1. Maybe what you are looking for is to parse output of command 'lastb'.
Re #2. There is lots of Google references to PAM.
Paul Whitney
cell: 410.493.9448
Sent from my iPhone
Post by Phil Beckley
Hi all,
I've been looking for documentation and in forums, but I'm not having
any luck getting more information on the items in the subject. I have a
couple of questions and please let me know if this isn't the right
place to
Post by Phil Beckley
Post by Paul Whitney
address these questions.
Post by Phil Beckley
1. Why is tallylog a binary file? I would love to parse it like a
log,
Post by Phil Beckley
Post by Paul Whitney
but that seems like a difficult task.
Post by Phil Beckley
2. Is there a more in-depth description/explanation of how to modify
the
Post by Phil Beckley
Post by Paul Whitney
pam conf files? I was looking at the PAM SA guide, but was unable to
make
Post by Phil Beckley
Post by Paul Whitney
sense of a lot of it as I don't have a background in PAM, as a whole.
Post by Phil Beckley
Thanks for your help.
P
_______________________________________________
Pam-list mailing list
https://www.redhat.com/mailman/listinfo/pam-list
_______________________________________________
Pam-list mailing list
https://www.redhat.com/mailman/listinfo/pam-list
_______________________________________________
Pam-list mailing list
https://www.redhat.com/mailman/listinfo/pam-list
--
Thorsten Kukuk, Senior Architect SLES & Common Code Base
SUSE LINUX GmbH, Maxfeldstr. 5, 90409 Nuernberg, Germany
GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg)
_______________________________________________
Pam-list mailing list
https://www.redhat.com/mailman/listinfo/pam-list
_______________________________________________
Pam-list mailing list
https://www.redhat.com/mailman/listinfo/pam-list
--
Thorsten Kukuk, Senior Architect SLES & Common Code Base
SUSE LINUX GmbH, Maxfeldstr. 5, 90409 Nuernberg, Germany
GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg)
l***@brimer.org
2016-01-25 06:13:50 UTC
Permalink
Post by Phil Beckley
1. Why is tallylog a binary file? I would love to parse it like a log, but
that seems like a difficult task.
Thorsten has already answered why this is a binary file. It seems that you
are trying to come up with a way to log failed login attempts. I have an
idea for you that is somewhat unconventional:
Use pam_shield <http://www.heiho.net/pam_shield/> and instead of having it
create iptables rules, have it echo a message to logger on a localx
facility .. which will effectively allow you to have a log created of
people failing to log in to your systems. You don't have to use logger or
use syslog even .. rather you could run whatever command is interesting to
you/meets your needs.
Hope this helps,
Barry
Phil Beckley
2016-01-25 11:55:44 UTC
Permalink
Forgive my ignorance here. I don't know squat about databases. Thanks to
everyone for the answers and suggestions. Barry, I'll check out pam_shield
today.
Post by Phil Beckley
1. Why is tallylog a binary file? I would love to parse it like a log, but
Post by Phil Beckley
that seems like a difficult task.
Thorsten has already answered why this is a binary file. It seems that you
are trying to come up with a way to log failed login attempts. I have an
Use pam_shield <http://www.heiho.net/pam_shield/> and instead of having
it create iptables rules, have it echo a message to logger on a localx
facility .. which will effectively allow you to have a log created of
people failing to log in to your systems. You don't have to use logger or
use syslog even .. rather you could run whatever command is interesting to
you/meets your needs.
Hope this helps,
Barry
_______________________________________________
Pam-list mailing list
https://www.redhat.com/mailman/listinfo/pam-list
7 Replies
1078 Views
Permalink to this page
Disable enhanced parsing
Thread Navigation
Phil Beckley2016-01-23 21:18:47 UTC