Package Details: pam_abl 1.0-2

Git Clone URL: (read-only, click to copy)
Package Base: pam_abl
Description: Automated blacklisting on repeated failed authentication attempts
Upstream URL:
Licenses: GPL
Submitter: Mikos
Maintainer: amish
Last Packager: amish
Votes: 11
Popularity: 0.000000
First Submitted: 2005-09-03 00:37 (UTC)
Last Updated: 2023-05-19 12:39 (UTC)

Dependencies (5)

Required by (0)

Sources (3)

Latest Comments

1 2 Next › Last »

kyak commented on 2013-02-08 15:05 (UTC)

@redden0t8 yep, i also have "PermitRootLogin no" in sshd_config, and also uncommented the mentioned line in /etc/pam.d/sshd to disable remote root login. Actually, the reason why i had that question is because i migrated to an updated pambase configuration. Mine looks like this now: #%PAM-1.0 auth required #disable remote root auth required config=/etc/security/pam_abl.conf auth include system-remote-login account include system-remote-login password include system-remote-login session include system-remote-login I figured i'd add the "disable remote root" line first, because i have excluded "root" account from blocking by pam_abl. Just another thought: perhaps a wiki page have to be edited.

redden0t8 commented on 2013-02-08 13:52 (UTC)

Kyak, personally I never bothered as I have "PermitRootLogin no" in my sshd_config, although more layers can never hurt. I think I'm going to add it right now :) As a side note, an update to pambase changed the structure of the pam configuration files, there are now a few central files referenced by each package-specific file. You might want to look at sshd.pacnew and migrate over - although I don't know if there's really any advantage at this point anyways. Mine now looks like: #%PAM-1.0 auth required config=/etc/security/pam_abl.conf auth include system-login account include system-login password include system-login session include system-login

kyak commented on 2013-02-08 05:54 (UTC)

I'm just wondering, do you guys uncomment the line "auth required", which disables remote root and is commented by default in /etc/pam.d/sshd?

redden0t8 commented on 2013-01-02 20:55 (UTC)

I should note that a less-serious but related issue remains, which is why upstream has not released a new version yet. The issue is failure of the first attempt is not logged until a second attempt is made or the connection is closed. This means that long as the attacker only makes one attempt per connection, and never closes any connections, no failures are ever logged. In practice, the sshd_config settings "MaxStartups" (default 10) and to a lesser degree "LoginGraceTime" (default 120s) limit the viability of this approach, but it still could be used to squeeze out more attempts then you specify. In the meantime, the workaround is to set "MaxAuthTries" to 1 (or expect that an additional "MaxStartups" number of attempts could be made above and beyond what you specify in your pam_abl config).

redden0t8 commented on 2013-01-02 18:31 (UTC)

Thanks for the warning buergi. I've updated the pkgbuild to patch in the fix until upstream releases a new version. I did some quick tests on the resulting build and it now appears to function correctly.

kyak commented on 2012-12-21 20:05 (UTC)

Another question would be -why won't they release an updated version IMMEDIATELY?

kyak commented on 2012-12-21 20:04 (UTC)

God damnit, i should've paid more attention to those messages in log. Thank you buergi and thank myself for using several layers of protection (the second one being iptables rule to ban > 4 connect attempts in 60 seconds.

buergi commented on 2012-12-21 19:51 (UTC)

WARNING: this package is non-functional it does not block anything! The second try always succeeds even for blocked users/hosts. See bugreport BUG3564436 or the commit message of the fixing commit;a=commit;h=a7f04548a1e9d139e843a15e7c0cda785ffb6f61 I added a git version of the package to the AUR basing on this package, I recommend anyone to switch to pam_abl-git as long as no newer version than 0.5.0 is available!

redden0t8 commented on 2012-10-31 18:31 (UTC)

Fixed, thanks kyak.