Pam abl

From Jonathan Gardner's Tech Wiki
Jump to: navigation, search

Introduction

pam_abl is a PAM module for auto black-listing, hence the name pam_abl.

It is useful for many things, but I use it to prevent SSH brute-force attacks.

Step 1: Install the Software

Install it in fedora with: 

# yum install pam_abl

Step 2: Configure pam_abl

You may want to tweak /etc/security/pam_abl.conf. The default is, in reality, really, really good. 

# /etc/security/pam_abl.conf
debug
host_db=/var/lib/abl/hosts.db
host_purge=2h
host_rule=*:2/1h,30/1d
#user_db=/var/lib/abl/users.db
#user_purge=2d
#user_rule=!root:10/1h,30/1d

The above config says:

  • Show debug messages
  • Allow hosts to try again after 2 hours
  • Block hosts who fail twice in an hour or 30 times in a day
  • Don't do any user blocking.

We'll comment out the debug line later when we verify that it is all working.

Step 3: Configure PAM to use pam_abl for SSH

Then add it to SSH authentication by modifying the /etc/pam.d/sshd file: 

#%PAM-1.0
auth       required     /lib/security/pam_abl.so config=/etc/security/pam_abl.conf
auth       include      system-auth
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
session    optional     pam_keyinit.so force revoke
session    include      system-auth
session    required     pam_loginuid.so

Step 4: Testing

Can you still SSH in?

Before you log out of your SSH session, verify that you can log back in through SSH. If you can't, then you probably did something bad to /etc/pam.d/sshd. You may want to turn of public key authentication as follows: 

$ ssh -o "PubkeyAuthentication=no" you@yourhost

Check the Logs

Check the logs to see that it is doing what you expect. Try to get a host blocked by logging in with the wrong password several times while tailing the logs to see what is happening. You may also want to try a successful, password-authenticated login. 

# tail -f /var/log/secure

Step 5: Turn off debugging

Finally, turn off debugging when you are satisfied by removing or commenting out with a '#' the line 'debug' in /etc/security/pam_abl.conf.

Notes

Public key authentication

Note that you can still login with SSH public keys since that doesn't use the PAM system for authentication.

Checking the block list

To see what is being blocked, run pam_abl: 

# pam_abl
Retrieved from "https://tech.jonathangardner.net/w/index.php?title=Pam_abl&oldid=634"