Template:Article summary start Template:Article summary text Template:Article summary heading Template:Article summary wiki Template:Article summary wiki Template:Article summary wiki Template:Article summary end
Pam_abl provides another layer of security against brute-force SSH password guessing. It allows you to set a maximum number of unsuccessful login attempts within a given time period, after which a host and/or user is blacklisted. Once a host/user is blacklisted, all authentication attempts will fail even if the correct password is given. Hosts/users which stop attempting to login for a specified period of time will be removed from the blacklist.
- 1 Installation
- 2 Configuration
- 3 Managing the blacklist databases
Add pam_abl to the PAM auth stack
/etc/pam.d/sshd as root in your editor of choice. Add the following line above all other lines:
auth required pam_abl.so config=/etc/security/pam_abl.conf
Assuming you haven't made any other modifications, your
/etc/pam.d/sshd should now look like this:
#%PAM-1.0 #auth required pam_securetty.so #Disable remote root auth required pam_abl.so config=/etc/security/pam_abl.conf auth required pam_unix.so auth required pam_env.so account required pam_nologin.so account required pam_unix.so account required pam_time.so password required pam_unix.so session required pam_unix_session.so session required pam_limits.so
/etc/security/pam_abl.conf as root using your editor of choice.
/etc/security/pam_abl.conf is as follows:
# /etc/security/pam_abl.conf db_home=/var/lib/abl/ host_db=/var/lib/abl/hosts.db host_purge=7d host_rule=*:10/1h user_db=/var/lib/abl/users.db user_purge=7d user_rule=!root:10/1h
The paths given in
user_db specify where the blacklists should be stored. Typical paths are
The values given in
user_purge specify the time period before hosts/users are removed from the blacklist. Values are specifed as
<number><suffix> where suffix can be any of
d for units of seconds, minutes, hours or days, respectively.
The rules specified in
user_rule are specified as
<user> is a list of user names separated by |s. The special user name
* matches all users, and prefixing a user by a
! matches all users except the one named.
<attempts> is the number of attempts allowed before a user/host is blacklisted, and
specifies the period in which the attempts must occur. The same time suffixes as described above also apply to
For example, the rule
*:10/1h specifies that for any user, ten failed login attempts within an hour will get the host blacklisted. The rule
!root:10/1h specifies that for any user except root, ten failed login attempts within an hour will get the user blacklisted, regardless of the host the attempts are coming from.
Multiple conditions can be given to the same set of users using comma separation:
Multiple rules can be specified using space separation:
If you only want pam_abl to blacklist one of users or hosts, simply omit the appropriate lines from
Create the blacklist databases
As root, create the directory for the database (assuming you specified the recommended path above):
# mkdir /var/lib/abl
As root, run the pam_abl utility to initialize the databases:
That's it! Pam_abl should now be working. Since PAM is not a daemon, nothing needs to be restarted for these changes to take effect. It's strongly recommended to verify that pam_abl is working by purposely getting a remote host blacklisted. Don't worry though! For directions on how to manually remove a host or user from the blacklist, see below.
Managing the blacklist databases
Check blacklisted hosts/users
As root, simply run:
# pam_abl -p
Manually removed a host or user from the blacklist
As root, simply run:
# pam_abl -w -U <user>
# pam_abl -w -H <host>
Using * as a wildcard to match multiple hosts/users is allowed in both of the above commands.
Manually add a host or user to the blacklist
As root, simply run:
# pam_abl -f -U <user>
# pam_abl -f -H <host>
Other pam_abl commands
Like virtually all linux utilities, a manpage is available to see all options:
$ man pam_abl