Poptop

I am searching for ways to limit the number of failed logon attempts to 
our pptp server.  I am wondering if the maxfail option can be used to do 
this.  I would also like to add the IP address of the failed client, to 
be blacklisted, and an email sent to the admin of the pptp server.

Does anyone have any script that can help me out with this?  I would 
like to know what variables I can use in my script to do this.

Also, Does /etc/ppp/ip-up run before or after the user authenticates? 
Is there any script that runs before the user authenticates?  What 
variable is the IP address of the client assigned, so I can pass that to 
another script to have them blacklisted?

Thanks for any help on this..

- Bruce

Re: [Poptop-server] Using maxfail in options.pptpd to restrict failed login attempts From: Ray Van Dolson <rayvd@di...> - 2004-12-23 16:27 ip-up only runs when a user successfully authenticates (it's run when the ppp link is brought up). So I don't think that would help you. If you're running a Radius server you might be able to tell it to enforce this sort of thing. Another solution would be to write a script that monitors your /var/log/messages file for the client IP, and then keep track of whether or not connections from that IP authenticate or fail to authenticate. You could then have this script modify chap/pap secrets as necessary to suspend an account. Maybe someone will have a better idea :) On Thu, Dec 23, 2004 at 10:20:47AM -0500, Bruce Garlock wrote: > I am searching for ways to limit the number of failed logon attempts to > our pptp server. I am wondering if the maxfail option can be used to do > this. I would also like to add the IP address of the failed client, to > be blacklisted, and an email sent to the admin of the pptp server. > > Does anyone have any script that can help me out with this? I would > like to know what variables I can use in my script to do this. > > Also, Does /etc/ppp/ip-up run before or after the user authenticates? > Is there any script that runs before the user authenticates? What > variable is the IP address of the client assigned, so I can pass that to > another script to have them blacklisted? > > Thanks for any help on this.. > > - Bruce

Re: [Poptop-server] Using maxfail in options.pptpd to restrict failed login attempts From: Bruce Garlock <bruceg@ga...> - 2004-12-23 16:31 Ray Van Dolson wrote: > ip-up only runs when a user successfully authenticates (it's run when the > ppp link is brought up). So I don't think that would help you. If you're > running a Radius server you might be able to tell it to enforce this sort > of thing. I may give the Radius route a try. > > Another solution would be to write a script that monitors your > /var/log/messages file for the client IP, and then keep track of whether or > not connections from that IP authenticate or fail to authenticate. You > could then have this script modify chap/pap secrets as necessary to suspend > an account. I was actually just thinking of using swatch to monitor the messages file. I have been looking at how the log file is produced when a user logs on, and when one fails, and will probably write something this way. Anyone else have any better ideas for this? - Bruce > > Maybe someone will have a better idea :) > > On Thu, Dec 23, 2004 at 10:20:47AM -0500, Bruce Garlock wrote: > >>I am searching for ways to limit the number of failed logon attempts to >>our pptp server. I am wondering if the maxfail option can be used to do >>this. I would also like to add the IP address of the failed client, to >>be blacklisted, and an email sent to the admin of the pptp server. >> >>Does anyone have any script that can help me out with this? I would >>like to know what variables I can use in my script to do this. >> >>Also, Does /etc/ppp/ip-up run before or after the user authenticates? >>Is there any script that runs before the user authenticates? What >>variable is the IP address of the client assigned, so I can pass that to >>another script to have them blacklisted? >> >>Thanks for any help on this.. >> >>- Bruce

Re: [Poptop-server] Using maxfail in options.pptpd to restrict failed login attempts From: Bruce Garlock <bruceg@ga...> - 2004-12-23 20:14 Hi Ray, What is the easiest way to have only pptpd, and ppp messages log to their own file? I am trying to figure out how to do this with syslog. Thanks for any help, Bruce PS: Originally I forgot to post this to the list. Does anyone else have any ideas about having *just* ppp, and pptpd messages in their own logfile, without other loglevel info? Bruce Garlock wrote: > Ray Van Dolson wrote: > >> ip-up only runs when a user successfully authenticates (it's run when the >> ppp link is brought up). So I don't think that would help you. If >> you're >> running a Radius server you might be able to tell it to enforce this sort >> of thing. > > > I may give the Radius route a try. > >> >> Another solution would be to write a script that monitors your >> /var/log/messages file for the client IP, and then keep track of >> whether or >> not connections from that IP authenticate or fail to authenticate. You >> could then have this script modify chap/pap secrets as necessary to >> suspend >> an account. > > > I was actually just thinking of using swatch to monitor the messages > file. I have been looking at how the log file is produced when a user > logs on, and when one fails, and will probably write something this way. > > Anyone else have any better ideas for this? > > - Bruce > > >> >> Maybe someone will have a better idea :) >> >> On Thu, Dec 23, 2004 at 10:20:47AM -0500, Bruce Garlock wrote: >> >>> I am searching for ways to limit the number of failed logon attempts to >>> our pptp server. I am wondering if the maxfail option can be used to do >>> this. I would also like to add the IP address of the failed client, to >>> be blacklisted, and an email sent to the admin of the pptp server. >>> >>> Does anyone have any script that can help me out with this? I would >>> like to know what variables I can use in my script to do this. >>> >>> Also, Does /etc/ppp/ip-up run before or after the user authenticates? >>> Is there any script that runs before the user authenticates? What >>> variable is the IP address of the client assigned, so I can pass that to >>> another script to have them blacklisted? >>> >>> Thanks for any help on this.. >>> >>> - Bruce > > > > ------------------------------------------------------- > SF email is sponsored by - The IT Product Guide > Read honest & candid reviews on hundreds of IT Products from real users. > Discover which products truly live up to the hype. Start reading now. > http://productguide.itmanagersjournal.com/ > _______________________________________________ > Poptop-server mailing list > Poptop-server@... > https://lists.sourceforge.net/lists/listinfo/poptop-server

Re: [Poptop-server] Using maxfail in options.pptpd to restrict failed login attempts From: James Cameron <james.cameron@hp...> - 2004-12-23 22:02 On Thu, Dec 23, 2004 at 03:13:59PM -0500, Bruce Garlock wrote: > PS: Originally I forgot to post this to the list. Does anyone else have > any ideas about having *just* ppp, and pptpd messages in their own > logfile, without other loglevel info? I'm guessing you really mean without any other process's logs. You could change the calls to openlog() in the pptpd source files. Currently LOG_DAEMON facility is used. Change this to one of LOG_LOCAL{0,1,2,3,4,5,6,7} and then modify syslog.conf accordingly. The same can be done with pppd. The man page for pppd says it uses the facility LOG_DAEMON and the level LOG_DEBUG. If you find any issues with the message log levels in pptpd, that make it difficult to do this kind of stuff, please let us know. -- James Cameron http://quozl.netrek.org/ HP Open Source, Volunteer http://opensource.hp.com/ PPTP Client Project, Release Engineer http://pptpclient.sourceforge.net/

Re: [Poptop-server] Using maxfail in options.pptpd to restrict failed login attempts From: James Cameron <james.cameron@hp...> - 2004-12-23 23:00 No, maxfail will be of no avail because it resets the counter on each connection attempt. maxfail is purely pppd. There's an /etc/ppp/auth-up script executed. It doesn't seem to have ipparam sent to it though. See man pppd. A more thorough engineered solution might be to write a pppd plugin to handle it, or even code in pptpd to handle the situation. I'm curious as to why you need to do this; perhaps there's an alternate solution. e.g. you could use iptables to restrict the rate of connection. -- James Cameron http://quozl.netrek.org/ HP Open Source, Volunteer http://opensource.hp.com/ PPTP Client Project, Release Engineer http://pptpclient.sourceforge.net/

1 message has been excluded from this view by a project administrator.