Difference between revisions of "Pam abl"

From ArchWiki
Jump to: navigation, search
(cat)
Line 17: Line 17:
 
==Configuration==
 
==Configuration==
 
===Add pam_abl to the PAM auth stack===
 
===Add pam_abl to the PAM auth stack===
Open {{Codeline|1=/etc/pam.d/sshd}} as root in your editor of choice. Add the following line above all other lines:
+
Open {{ic|1=/etc/pam.d/sshd}} as root in your editor of choice. Add the following line above all other lines:
 
  auth            required        pam_abl.so config=/etc/security/pam_abl.conf
 
  auth            required        pam_abl.so config=/etc/security/pam_abl.conf
  
Assuming you haven't made any other modifications, your {{Codeline|1=/etc/pam.d/sshd}} should now look like this:
+
Assuming you haven't made any other modifications, your {{ic|1=/etc/pam.d/sshd}} should now look like this:
 
  #%PAM-1.0
 
  #%PAM-1.0
 
  #auth          required        pam_securetty.so        #Disable remote root
 
  #auth          required        pam_securetty.so        #Disable remote root
Line 34: Line 34:
  
 
===Create pam_abl.conf===
 
===Create pam_abl.conf===
Create {{Codeline|1=/etc/security/pam_abl.conf}} as root using your editor of choice.
+
Create {{ic|1=/etc/security/pam_abl.conf}} as root using your editor of choice.
  
A sample {{Codeline|1=/etc/security/pam_abl.conf}} is as follows:
+
A sample {{ic|1=/etc/security/pam_abl.conf}} is as follows:
 
  # /etc/security/pam_abl.conf
 
  # /etc/security/pam_abl.conf
 
  host_db=/var/lib/abl/hosts.db
 
  host_db=/var/lib/abl/hosts.db
Line 45: Line 45:
 
  user_rule=!root:10/1h
 
  user_rule=!root:10/1h
  
The paths given in {{Codeline|1=host_db}} and {{Codeline|1=user_db}} specify where the blacklists should be stored.  Typical paths are {{Codeline|1=/var/lib/abl/hosts.db}} and {{Codeline|1=/var/lib/abl/users.db}}, respectively.
+
The paths given in {{ic|1=host_db}} and {{ic|1=user_db}} specify where the blacklists should be stored.  Typical paths are {{ic|1=/var/lib/abl/hosts.db}} and {{ic|1=/var/lib/abl/users.db}}, respectively.
  
The values given in {{Codeline|1=host_purge}} and {{Codeline|1=user_purge}} specify the time period before hosts/users are removed from the blacklist.  Values are specifed as {{Codeline|1=<number><suffix>}} where suffix can be any of {{Codeline|1=s}}, {{Codeline|1=m}}, {{Codeline|1=h}}, or {{Codeline|1=d}} for units of seconds, minutes, hours or days, respectively.
+
The values given in {{ic|1=host_purge}} and {{ic|1=user_purge}} specify the time period before hosts/users are removed from the blacklist.  Values are specifed as {{ic|1=<number><suffix>}} where suffix can be any of {{ic|1=s}}, {{ic|1=m}}, {{ic|1=h}}, or {{ic|1=d}} for units of seconds, minutes, hours or days, respectively.
  
The rules specified in {{Codeline|1=host_rule}} and {{Codeline|1=user_rule}} are specified as {{Codeline|1=<user>:<attempts>/<time period>}}.  {{Codeline|1=<user>}} is a list of user names separated by |s.  The special user name {{Codeline|1=*}} matches all users, and prefixing a user by a {{Codeline|1=!}} matches all users except the one named.  {{Codeline|1=<attempts>}} is the number of attempts allowed before a user/host is blacklisted, and {{Codeline|1=<time period>}} specifies the period in which the attempts must occur.  The same time suffixes as described above also apply to {{Codeline|1=<time period>}}.
+
The rules specified in {{ic|1=host_rule}} and {{ic|1=user_rule}} are specified as {{ic|1=<user>:<attempts>/<time period>}}.  {{ic|1=<user>}} is a list of user names separated by |s.  The special user name {{ic|1=*}} matches all users, and prefixing a user by a {{ic|1=!}} matches all users except the one named.  {{ic|1=<attempts>}} is the number of attempts allowed before a user/host is blacklisted, and {{ic|1=<time period>}} specifies the period in which the attempts must occur.  The same time suffixes as described above also apply to {{ic|1=<time period>}}.
  
For example, the rule {{Codeline|1=*:10/1h}} specifies that for any user, ten failed login attempts within an hour will get the host blacklisted.  The rule {{Codeline|1=!root:10/1h}} specifies that for any user except root, ten failed login attempts within an hour will get the user blacklisted, regardless of the host the attempts are coming from.
+
For example, the rule {{ic|1=*:10/1h}} specifies that for any user, ten failed login attempts within an hour will get the host blacklisted.  The rule {{ic|1=!root:10/1h}} specifies that for any user except root, ten failed login attempts within an hour will get the user blacklisted, regardless of the host the attempts are coming from.
  
 
{{Warning|Whether or not to include root in the user_rule must be carefully considered.  Not including root has obvious security implications.  On the other hand, including root gives hackers the ability to block '''anyone''' from logging in as root by making repeated failed attempts.}}
 
{{Warning|Whether or not to include root in the user_rule must be carefully considered.  Not including root has obvious security implications.  On the other hand, including root gives hackers the ability to block '''anyone''' from logging in as root by making repeated failed attempts.}}
Line 61: Line 61:
 
  user_rule=!root:10/1h root:25/1h
 
  user_rule=!root:10/1h root:25/1h
  
If you only want pam_abl to blacklist one of users or hosts, simply omit the appropriate lines from {{Codeline|1=/etc/security/pam_abl.conf}}.
+
If you only want pam_abl to blacklist one of users or hosts, simply omit the appropriate lines from {{ic|1=/etc/security/pam_abl.conf}}.
  
 
===Create the blacklist databases===
 
===Create the blacklist databases===

Revision as of 17:50, 12 February 2012

Template:Article summary start Template:Article summary text Template:Article summary heading Template:Article summary wiki Template:Article summary wiki Template:Article summary wiki Template:Article summary end

Pam_abl provides another layer of security against brute-force SSH password guessing. It allows you to set a maximum number of unsuccessful login attempts within a given time period, after which a host and/or user is blacklisted. Once a host/user is blacklisted, all authentication attempts will fail even if the correct password is given. Hosts/users which stop attempting to login for a specified period of time will be removed from the blacklist.

Installation

Install the pam_abl PKGBUILD from the AUR using Makepkg.

Configuration

Add pam_abl to the PAM auth stack

Open /etc/pam.d/sshd as root in your editor of choice. Add the following line above all other lines:

auth            required        pam_abl.so config=/etc/security/pam_abl.conf

Assuming you haven't made any other modifications, your /etc/pam.d/sshd should now look like this:

#%PAM-1.0
#auth           required        pam_securetty.so        #Disable remote root
auth            required        pam_abl.so config=/etc/security/pam_abl.conf
auth            required        pam_unix.so
auth            required        pam_env.so
account         required        pam_nologin.so
account         required        pam_unix.so
account         required        pam_time.so
password        required        pam_unix.so
session         required        pam_unix_session.so
session         required        pam_limits.so

Create pam_abl.conf

Create /etc/security/pam_abl.conf as root using your editor of choice.

A sample /etc/security/pam_abl.conf is as follows:

# /etc/security/pam_abl.conf
host_db=/var/lib/abl/hosts.db
host_purge=7d
host_rule=*:10/1h
user_db=/var/lib/abl/users.db
user_purge=7d
user_rule=!root:10/1h

The paths given in host_db and user_db specify where the blacklists should be stored. Typical paths are /var/lib/abl/hosts.db and /var/lib/abl/users.db, respectively.

The values given in host_purge and user_purge specify the time period before hosts/users are removed from the blacklist. Values are specifed as <number><suffix> where suffix can be any of s, m, h, or d for units of seconds, minutes, hours or days, respectively.

The rules specified in host_rule and user_rule are specified as <user>:<attempts>/

For example, the rule <code>*:10/1h</code> specifies that for any user, ten failed login attempts within an hour will get the host blacklisted. The rule <code>!root:10/1h</code> specifies that for any user except root, ten failed login attempts within an hour will get the user blacklisted, regardless of the host the attempts are coming from.

Warning: Whether or not to include root in the user_rule must be carefully considered. Not including root has obvious security implications. On the other hand, including root gives hackers the ability to block anyone from logging in as root by making repeated failed attempts.

Multiple conditions can be given to the same set of users using comma separation:

user_rule=!root:10/1h,20/1d

Multiple rules can be specified using space separation:

user_rule=!root:10/1h root:25/1h

If you only want pam_abl to blacklist one of users or hosts, simply omit the appropriate lines from <code>/etc/security/pam_abl.conf</code>.

Create the blacklist databases

As root, create the directory for the database (assuming you specified the recommended path above):

# mkdir /var/lib/abl

As root, run the pam_abl utility to initialize the databases:

# pam_abl

That's it! Pam_abl should now be working. Since PAM is not a daemon, nothing needs to be restarted for these changes to take effect. It's strongly recommended to verify that pam_abl is working by purposely getting a remote host blacklisted. Don't worry though! For directions on how to manually remove a host or user from the blacklist, see below.

Managing the blacklist databases

Check blacklisted hosts/users

As root, simply run:

# pam_abl
Note: As pam_abl does not run as a daemon, it performs "lazy purging" of the blacklist. In other words, it does not remove users/hosts from the blacklist until an authentication attempt occurs. This does not affect functionality, although it will frequently cause extra failures to show up when running the above command. To force a purge, run:
# pam_abl -p

Manually removed a host or user from the blacklist

As root, simply run:

# pam_abl -w -U <user>

or

# pam_abl -w -H <host>

Using * as a wildcard to match multiple hosts/users is allowed in both of the above commands.

Manually add a host or user to the blacklist

As root, simply run:

# pam_abl -f -U <user>

or

# pam_abl -f -H <host>

Other pam_abl commands

Like virtually all linux utilities, a manpage is available to see all options:

$ man pam_abl