Tip of the Trade: Meet PAM
We've talked a lot about tools for cutting off brute-force login attacks recently, such as DenyHosts and Fail2ban. And here we are again, with yet another one. Why so many? Because each one is a bit different and meets different needs. DenyHosts and Fail2ban prevent offending hosts from getting to a login prompt.
Today's Tip uses PAM (Pluggable Authentication Modules), which is the core Linux authentication mechanism, to lock out offending hosts. Like DenyHosts and Fail2ban, PAM monitors failed authentication attempts, and after meeting the criteria you've configured, blocks the bad hosts even if they present good credentials. This prevents an attacker who guesses the correct login and password from logging in. Use Pluggable Authentication Modules (aka PAM) to block brute-force attacks.
To make this work requires the PAM Auto-blacklist module, or pam_abl, by Andy Armstrong. pam_abl has a few rough edges: You need to compile it from source code, and you must first edit two Makefiles: the one in the distribution directory, and the one in the tools directory to include correct filepaths for your system. These are very short Makefiles and it's easy to see what needs to be changed, as this example shows:
OBJ=pam_abl.o log.o config.o rule.o
Then run these commands from the distribution directory to install it:
# make install
# cp conf/pam_abl.conf /etc/security
Then use it with your auth statements in your /etc/pam.d/ files:
auth required /lib/security/pam_abl.so config=/etc/security/pam_abl.conf
The pam_abl configuration file, /etc/security/pam_abl.conf, comes with a default configuration that is fine for testing. It uses the standard PAM configuration options and commands, so it's easy to modify. See the pam_abl manual page for instructions, and learn more about PAM with Pulling The Covers Off Linux PAM.
Carla Schroder's Tip of the Trade appears every Tuesday.