Bug#333081: libpam-abl ITP (update)
OK. Note the debug output for pam_abl on my amd64 system:
DEBUG: /etc/security/pam_abl.conf:
host_db=/var/lib/libpam-abl/hosts.db
DEBUG: /etc/security/pam_abl.conf: host_purge=2d
DEBUG: /etc/security/pam_abl.conf: host_rule=*:10/1h,30/1d
DEBUG: /etc/security/pam_abl.conf:
user_db=/var/lib/libpam-abl/users.db
DEBUG: /etc/security/pam_abl.conf: user_purge=2d
DEBUG: /etc/security/pam_abl.conf: user_rule=!root:10/1h,30/1d
Failed users:
admin (1)
DEBUG: matchperiod(0x50a380, 1, '10/1h,30/1d')
DEBUG: count is 10, **rp='/'
DEBUG: period is 3600, **rp=','
DEBUG: Checking 10/3600
DEBUG: howmany(3600) = 0
DEBUG: matchperiod(0x50a380, 1, '30/1d')
DEBUG: count is 30, **rp='/'
DEBUG: period is 86400, **rp=''
DEBUG: Checking 30/86400
DEBUG: howmany(86400) = 0
Not blocking
root (34)
DEBUG: matchperiod(0x50a400, 34, '10/1h,30/1d')
DEBUG: count is 10, **rp='/'
DEBUG: period is 3600, **rp=','
DEBUG: Checking 10/3600
DEBUG: howmany(3600) = 0
DEBUG: matchperiod(0x50a400, 34, '30/1d')
DEBUG: count is 30, **rp='/'
DEBUG: period is 86400, **rp=''
DEBUG: Checking 30/86400
DEBUG: howmany(86400) = 0
Not blocking
Failed hosts:
221.0.185.126 (35)
DEBUG: matchperiod(0x50a380, 35, '10/1h,30/1d')
DEBUG: count is 10, **rp='/'
DEBUG: period is 3600, **rp=','
DEBUG: Checking 10/3600
DEBUG: howmany(3600) = 0
DEBUG: matchperiod(0x50a380, 35, '30/1d')
DEBUG: count is 30, **rp='/'
DEBUG: period is 86400, **rp=''
DEBUG: Checking 30/86400
DEBUG: howmany(86400) = 0
Not blocking
So, it lookes like host 221.0.185.126 attempted to break in with 35
attempts, one to admin and 34 to root. My limits are actually quite
high given the attack pattern. It's possible that this host spaced
the attack out over a few days. I'll have to check the auth logs to
verify. Note, though, that "admin" was accounted for, even though it
doesn't exist on the system.
$ id admin
id: admin: No such user
My sshd_config file has "UsePAM yes" in the last stack, but doesn't
have any AllowedUsers or AllowedGroupsspecified and
"PasswordAuthentication no" is set.
My pam stack for ssh is:
# Standard Un*x authentication.
auth required pam_abl.so config=/etc/security/pam_abl.conf
@include common-auth
(Oh, and I take it back. I actually did write up a manpage for the
command-line utility, transliterating it from the HTML page provided
by upstream. I hadn't gotten to the point of making the pam_abl.so.5
page.)
As far as purging is concerned, a cron job can be created to perform
the purge on a daily or sub-daily basis. Autopurge isn't necessarily
needed. For performance reasons, I wouldn't care to have it do so
anyway. A unix-socket daemon that accepts events from the pam_abl.so
module might be a good way to add this functionality without incurring
a performance/latency hit during authentication.
--
Chad Walstrom <chewie@wookimus.net> http://www.wookimus.net/
assert(expired(knowledge)); /* core dump */
Reply to: