Le 23/01/2015 22:52, Rhialto a écrit :
On Wed 21 Jan 2015 at 08:11:59 -0500, Christos Zoulas wrote:As you can see from the patch, the daemon modification is trivial. Yes, I am planning to add this to more daemons (I think I will do named nextbecause it is really spammy on my machines), and yes if there is a way to do this via PAM that would be even better.Maybe what the pam_af package is doing can be used? It can even run a program when blocking a host.
The issue with PAM here is that the command will necessarily run under the user associated with the service, so this means that this user can alter fw rules (which is quite problematic when it is not root).
Passing file descriptors has the advantage of avoiding confused deputy. The application cannot pass a connection to blacklistd that was not accept(2)ed beforehand. Unfortunately PAM API is not helpful here, pam_handle_t has no field to pass arbitrary data to modules, nor specify what they can do with it. Blacklisting can also happen in situations where PAM is not necessarily involved (anonymous LDAP binds that thrash slapd, krb TGT bruteforce, slowloris kiddies...).
-- Jean-Yves Migeon