pam_abl is a PAM module for auto black-listing, hence the name pam_abl.
Step 1: Install the Software
Install it in fedora with:
# yum install pam_abl
Step 2: Configure pam_abl
You may want to tweak /etc/security/pam_abl.conf. The default is, in reality, really, really good.
# /etc/security/pam_abl.conf debug host_db=/var/lib/abl/hosts.db host_purge=2h host_rule=*:2/1h,30/1d #user_db=/var/lib/abl/users.db #user_purge=2d #user_rule=!root:10/1h,30/1d
The above config says:
- Show debug messages
- Allow hosts to try again after 2 hours
- Block hosts who fail twice in an hour or 30 times in a day
- Don't do any user blocking.
We'll comment out the debug line later when we verify that it is all working.
Step 3: Configure PAM to use pam_abl for SSH
Then add it to SSH authentication by modifying the /etc/pam.d/sshd file:
#%PAM-1.0 auth required /lib/security/pam_abl.so config=/etc/security/pam_abl.conf auth include system-auth account required pam_nologin.so account include system-auth password include system-auth session optional pam_keyinit.so force revoke session include system-auth session required pam_loginuid.so
Step 4: Testing
Can you still SSH in?
Before you log out of your SSH session, verify that you can log back in through SSH. If you can't, then you probably did something bad to /etc/pam.d/sshd. You may want to turn of public key authentication as follows:
$ ssh -o "PubkeyAuthentication=no" you@yourhost
Check the Logs
Check the logs to see that it is doing what you expect. Try to get a host blocked by logging in with the wrong password several times while tailing the logs to see what is happening. You may also want to try a successful, password-authenticated login.
# tail -f /var/log/secure
Step 5: Turn off debugging
Finally, turn off debugging when you are satisfied by removing or commenting out with a '#' the line 'debug' in /etc/security/pam_abl.conf.
Public key authentication
Note that you can still login with SSH public keys since that doesn't use the PAM system for authentication.
Checking the block list
To see what is being blocked, run pam_abl: