Ubuntu
pam package

Bug #216990
Comment #24

Comment 24 for bug 216990

Revision history for this message

Thiago Martins (martinx) wrote on 2008-04-30:

#24

About this issue... it's very serious and maybe it can hangup your system during a brute force attack over SSH, look my example:

I have installed Ubuntu 8.04, with SSH open to world, but just I have the password.

After turns up my IP addres (public), in my /var/log/auth.log I can see a lot of incoming brute force attack:

...........
Apr 29 15:53:46 srv33 sshd[5945]: Invalid user test from 218.22.9.118
Apr 29 15:53:46 srv33 sshd[5945]: PAM unable to dlopen(/lib/security/pam_smbpass.so)
Apr 29 15:53:48 srv33 sshd[5945]: PAM [error: /lib/security/pam_smbpass.so: cannot open shared object file: No such file or directory]
Apr 29 15:53:48 srv33 sshd[5945]: PAM adding faulty module: /lib/security/pam_smbpass.so
Apr 29 15:53:48 srv33 sshd[5945]: pam_unix(sshd:auth): check pass; user unknown
Apr 29 15:53:48 srv33 sshd[5945]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.22.9.118
Apr 29 15:53:48 srv33 sshd[5945]: Failed password for invalid user test from 218.22.9.118 port 16679 ssh2
Apr 29 15:53:52 srv33 sshd[6024]: Invalid user guest from 218.22.9.118
Apr 29 15:53:54 srv33 sshd[6024]: PAM unable to dlopen(/lib/security/pam_smbpass.so)
Apr 29 15:53:54 srv33 sshd[6024]: PAM [error: /lib/security/pam_smbpass.so: cannot open shared object file: No such file or directory]
Apr 29 15:53:54 srv33 sshd[6024]: PAM adding faulty module: /lib/security/pam_smbpass.so
Apr 29 15:53:54 srv33 sshd[6024]: pam_unix(sshd:auth): check pass; user unknown
Apr 29 15:53:54 srv33 sshd[6024]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.22.9.118
Apr 29 15:53:55 srv33 sshd[6024]: Failed password for invalid user guest from 218.22.9.118 port 1853 ssh2
Apr 29 15:53:59 srv33 sshd[6053]: Invalid user admin from 218.22.9.118
Apr 29 15:53:59 srv33 sshd[6053]: PAM unable to dlopen(/lib/security/pam_smbpass.so)
Apr 29 15:53:59 srv33 sshd[6053]: PAM [error: /lib/security/pam_smbpass.so: cannot open shared object file: No such file or directory]
Apr 29 15:53:59 srv33 sshd[6053]: PAM adding faulty module: /lib/security/pam_smbpass.so
Apr 29 15:53:59 srv33 sshd[6053]: pam_unix(sshd:auth): check pass; user unknown
Apr 29 15:53:59 srv33 sshd[6053]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.22.9.118
Apr 29 15:54:00 srv33 sshd[6053]: Failed password for invalid user admin from 218.22.9.118 port 53665 ssh2
.......

And during this attacks, my load avarege goes to sky, arround 8.50, even 12.3 of high load... with no daemons, only ssh running! No apache, no mysql, nothing.

... seconds after installing "aptitude libpam-smbpass" my system works nicely, with low load average again, even if "under ssh attack"!

So, to solve this problem, I see to options:

1- Disable pam_smbpass in common-auth and common-password under /etc/pam.d or;
2- Put a dependency of libpam-smbpass in something like ubuntu-standard or even ubuntu-minimal.

I prefer the first one, I don't use Samba.

Regards,
Thiago