From patchwork Tue Oct 1 23:03:36 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Paolo Cerrito X-Patchwork-Id: 840 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director11.mail.ord1d.rsapps.net ([172.31.255.6]) by backend30.mail.ord1d.rsapps.net with LMTP id IG9PJrRolF0dDAAAIUCqbw for ; Wed, 02 Oct 2019 05:07:00 -0400 Received: from proxy2.mail.iad3b.rsapps.net ([172.31.255.6]) by director11.mail.ord1d.rsapps.net with LMTP id 8A+HI7RolF3HbAAAvGGmqA ; Wed, 02 Oct 2019 05:07:00 -0400 Received: from smtp35.gate.iad3b ([172.31.255.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy2.mail.iad3b.rsapps.net with LMTP id CHvdHLRolF3vJAAAvAZTew ; Wed, 02 Oct 2019 05:07:00 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp35.gate.iad3b.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=fail (p=none; dis=none) header.from=gmail.com X-Suspicious-Flag: YES X-Classification-ID: fd7ae74a-e4f3-11e9-a3bc-525400503131-1-1 Received: from [216.105.38.7] ([216.105.38.7:55614] helo=lists.sourceforge.net) by smtp35.gate.iad3b.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 7D/A6-00710-3B8649D5; Wed, 02 Oct 2019 05:07:00 -0400 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1iFaZL-00079S-LO; Wed, 02 Oct 2019 09:05:11 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1iFaZK-00079M-VK for openvpn-devel@lists.sourceforge.net; Wed, 02 Oct 2019 09:05:10 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=sZIeBgy0K+PUIPCXszF+26qAB7n8k39tAZBGyPw/3/4=; b=Rp9IcV/1UVMwKAoZtwQ7WLAeCT BQgbZXYVveIflFvNBdxogFJFvMPKk+ogjD+QeuVMkCG401TsjFS551D5iQnkW+mVcmGnq1IR0e24f aUOUTyoCjcaBJcyoZpBdXa4k0fjmQ50YbPQtvZyAWihkkI8oJgl3SGiwVrvgp/MTwsvQ=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=sZIeBgy0K+PUIPCXszF+26qAB7n8k39tAZBGyPw/3/4=; b=b+0DsLyAUKHaQ4g6P+1Wy9whSk HCjkfN2GPGghJjiKEuWus2jtgdnKWYyx+IgQgPG8UbD3izgDRpfj5wYC/x251+0ltiEn/xAiH7QPw gKkNRi6BhTpY5KoTJdrzFCUo+pWUK6UxIOQvj28jEfb5OF1ifO7j+28nyw39nV6sT2S8=; Received: from smtp.uniroma2.it ([160.80.6.16]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1iFaZI-001LQa-Hd for openvpn-devel@lists.sourceforge.net; Wed, 02 Oct 2019 09:05:10 +0000 Received: from wardragon.ccd.uniroma2.it (wardragon-m.ccd.uniroma2.it [160.80.8.176]) by smtp-2015.uniroma2.it (8.14.4/8.14.4/Debian-8) with ESMTP id x9293cvS004751; Wed, 2 Oct 2019 11:03:43 +0200 From: Paolo Cerrito To: openvpn-devel@lists.sourceforge.net Date: Wed, 2 Oct 2019 11:03:36 +0200 Message-Id: <20191002090337.22783-1-wardragon78@gmail.com> X-Mailer: git-send-email 2.23.0 In-Reply-To: References: MIME-Version: 1.0 X-Virus-Status: Clean X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (wardragon78[at]gmail.com) -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [160.80.6.16 listed in wl.mailspike.net] 0.0 DKIM_ADSP_CUSTOM_MED No valid author signature, adsp_override is CUSTOM_MED 1.0 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail) 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends in digit (wardragon78[at]gmail.com) 1.2 NML_ADSP_CUSTOM_MED ADSP custom_med hit, and not from a mailing list 1.0 AWL AWL: Adjusted score from AWL reputation of From: address X-Headers-End: 1iFaZI-001LQa-Hd Subject: [Openvpn-devel] [PATCH 0/1] *** Insert client connection data into pam environment V2*** X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: a@unstable.cc Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox *** This patch make openvpn insert network client data connection into pam environment, so make pam modules to process them correctly. This improvement can make, for example, dynaminc firewalling more simple and can be done into pam. This patch is used from as into vpn environment by University of Rome "Tor Vergata", where we uses into pam the module pam_recent, as this: Firtof all, we configured iptables to for AUTHFAILS xt_recent tables: -A INPUT -m recent --rcheck --seconds 21600 --hitcount 10 --name AUTHFAILS --rsource -m limit --limit 20/min -j LOG --log-prefix "AUTHFAILS-DROP " -A INPUT -m recent --rcheck --seconds 21600 --hitcount 10 --name AUTHFAILS --rsource -j DROP -A INPUT -m recent --rcheck --seconds 21600 --hitcount 6 --name AUTHFAILS --rsource -m limit --limit 10/min -j LOG --log-prefix "AUTHFAILS " -A INPUT -m recent --rcheck --seconds 21600 --hitcount 6 --name AUTHFAILS --rsource -j REJECT --reject-with icmp-host-prohibited next, make pam insert ip of client into AUTHFAILS whit pam recent before authentication, if authentication if done and ok, then pam_recent remove from the AUTHFAILS, else update the hitcount, so iptables can handle the correctly as you can se from the rules. pam configuration: common-account: # # /etc/pam.d/common-account - authorization settings common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of the authorization modules that define # the central access policy for use on the system. The default is to # only deny service to users whose accounts are expired in /etc/shadow. # # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. # To take advantage of this, it is recommended that you configure any # local modules either before or after the default block, and use # pam-auth-update to manage selection of other modules. See # pam-auth-update(8) for details. # account optional pam_recent.so - AUTHFAILS #account optional pam_recent.so - AUTHNETFAILS # here are the per-package modules (the "Primary" block) account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so account [success=1 default=ignore] pam_ldap.so # here's the fallback if no module succeeds account requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around account required pam_permit.so # and here are more per-package modules (the "Additional" block) # end of pam-auth-update config # # send a notice after login success # account required pam_warn.so common-auth: # # /etc/pam.d/common-auth - authentication settings common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of the authentication modules that define # the central authentication scheme for use on the system # (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the # traditional Unix authentication mechanisms. # # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. # To take advantage of this, it is recommended that you configure any # local modules either before or after the default block, and use # pam-auth-update to manage selection of other modules. See # pam-auth-update(8) for details. auth optional pam_recent.so + AUTHFAILS #auth optional pam_recent.so + AUTHNETFAILS # here are the per-package modules (the "Primary" block) auth [success=2 default=ignore] pam_unix.so nullok_secure auth [success=1 default=ignore] pam_ldap.so use_first_pass # here's the fallback if no module succeeds auth requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around auth required pam_permit.so # and here are more per-package modules (the "Additional" block) # end of pam-auth-update config *** paolo (1): Insert client connection data into PAM environment src/plugins/auth-pam/auth-pam.c | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-)