Tommi’s stuff

I’ve tried quite a few methods to block password guessers from guessing passwords on machines that have open SSH, POP, IMAP… What I usually used was iptables and the recent module “iptables -m recent –help” if you are interested in that. The main problem with the iptables approach is it blocks a number of new connections from the same host whether they are invalid password attempts or just a user opening many ssh connections.

In comes pam_abl which enables blacklisting on unsuccesfull password attempts. I’ve installed this on a few Red Hat Enterprise Linux machines, you can download rpm’s for RHEL at Dag Wieers site.

Download pam_abl

# wget http://dag.wieers.com/rpm/packages/pam_abl/pam_abl-0.2.3-1.el5.rf.x86_64.rpm

Install

# rpm -Uvh pam_abl-0.2.3-1.el5.rf.x86_64.rpm

Configure pam_abl in /etc/pam.d/system-auth

auth        required      pam_env.so
auth        required      pam_abl.so config=/etc/security/pam_abl.conf
auth        sufficient    pam_unix.so nullok try_first_pass

Configure /etc/security/pam_abl.conf according to your own paranoia.. Here’s mine:

# /etc/security/pam_abl.conf
# debug
host_db=/var/lib/abl/hosts.db
host_purge=2d
host_rule=*:4/1h,30/1d
user_db=/var/lib/abl/users.db
user_purge=2d
user_rule=!root:4/1h,30/1d

You can check the state of pam_abl and manipulate it with the command pam_abl

# pam_abl
Failed users:
tommi (5)
Blocking users [!root]
Failed hosts:
evil.tommi.org (5)
Blocking users [*]

Now you have Auto Blacklisting for ftp, ssh, imap, pop, basicly anything that uses PAM for authentication. You can also just use it for one and one service for instance putting the pam line in /etc/pam.d/sshd instead of /etc/pam.d/system-auth.