Package Details: pam_abl 0.6.0-1

Git Clone URL: https://aur.archlinux.org/pam_abl.git (read-only)
Package Base: pam_abl
Description: Automated blacklisting on repeated failed authentication attempts
Upstream URL: http://pam-abl.sourceforge.net/
Licenses: GPL
Submitter: Mikos
Maintainer: redden0t8
Last Packager: redden0t8
Votes: 11
Popularity: 0.000000
First Submitted: 2005-09-03 00:37
Last Updated: 2015-06-16 14:50

Latest Comments

kyak commented on 2013-02-08 15:05

@redden0t8 yep, i also have "PermitRootLogin no" in sshd_config, and also uncommented the mentioned line in /etc/pam.d/sshd to disable remote root login.

Actually, the reason why i had that question is because i migrated to an updated pambase configuration. Mine looks like this now:

#%PAM-1.0
auth required pam_securetty.so #disable remote root
auth required pam_abl.so config=/etc/security/pam_abl.conf
auth include system-remote-login
account include system-remote-login
password include system-remote-login
session include system-remote-login

I figured i'd add the "disable remote root" line first, because i have excluded "root" account from blocking by pam_abl.

Just another thought: perhaps a wiki page have to be edited.

redden0t8 commented on 2013-02-08 13:52

Kyak, personally I never bothered as I have "PermitRootLogin no" in my sshd_config, although more layers can never hurt. I think I'm going to add it right now :)

As a side note, an update to pambase changed the structure of the pam configuration files, there are now a few central files referenced by each package-specific file. You might want to look at sshd.pacnew and migrate over - although I don't know if there's really any advantage at this point anyways. Mine now looks like:

#%PAM-1.0
auth required pam_abl.so config=/etc/security/pam_abl.conf
auth include system-login
account include system-login
password include system-login
session include system-login

kyak commented on 2013-02-08 05:54

I'm just wondering, do you guys uncomment the line "auth required pam_securetty.so", which disables remote root and is commented by default in /etc/pam.d/sshd?

redden0t8 commented on 2013-01-02 20:55

I should note that a less-serious but related issue remains, which is why upstream has not released a new version yet.

The issue is failure of the first attempt is not logged until a second attempt is made or the connection is closed. This means that long as the attacker only makes one attempt per connection, and never closes any connections, no failures are ever logged.

In practice, the sshd_config settings "MaxStartups" (default 10) and to a lesser degree "LoginGraceTime" (default 120s) limit the viability of this approach, but it still could be used to squeeze out more attempts then you specify.

In the meantime, the workaround is to set "MaxAuthTries" to 1 (or expect that an additional "MaxStartups" number of attempts could be made above and beyond what you specify in your pam_abl config).

redden0t8 commented on 2013-01-02 18:31

Thanks for the warning buergi. I've updated the pkgbuild to patch in the fix until upstream releases a new version. I did some quick tests on the resulting build and it now appears to function correctly.

redden0t8 commented on 2013-01-02 18:31

Thanks for the warning buergi. I've updated the pkgbuild to patch in fix until upstream releases a new version. I did some quick tests on the resulting build and it now appears to function correctly.

kyak commented on 2012-12-21 20:05

Another question would be -why won't they release an updated version IMMEDIATELY?

kyak commented on 2012-12-21 20:04

God damnit, i should've paid more attention to those messages in log.

Thank you buergi and thank myself for using several layers of protection (the second one being iptables rule to ban > 4 connect attempts in 60 seconds.

buergi commented on 2012-12-21 19:51

WARNING: this package is non-functional it does not block anything! The second try always succeeds even for blocked users/hosts. See bugreport BUG3564436 or the commit message of the fixing commit http://pam-abl.git.sourceforge.net/git/gitweb.cgi?p=pam-abl/pam-abl;a=commit;h=a7f04548a1e9d139e843a15e7c0cda785ffb6f61

I added a git version of the package to the AUR basing on this package, I recommend anyone to switch to pam_abl-git as long as no newer version than 0.5.0 is available!

redden0t8 commented on 2012-10-31 18:31

Fixed, thanks kyak.

All comments