на главную | войти | регистрация | DMCA | контакты | справка | donate |      

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
А Б В Г Д Е Ж З И Й К Л М Н О П Р С Т У Ф Х Ц Ч Ш Щ Э Ю Я


моя полка | жанры | рекомендуем | рейтинг книг | рейтинг авторов | впечатления | новое | форум | сборники | читалки | авторам | добавить



8.6.1.3. Automatic blacklisting of sites trying a brute-force password attack

The PAM module pam_abl.so from Fedora Extras provides the ability to blacklist (block access from) users and hosts that repeatedly send an incorrect password. This is useful in guarding against brute-force password attacks, where a remote system will simply try to log in over and over again with different password guesses until it is successful.

This module will not work successfully with gdm (graphical logins), so it must not be added to system-auth . To protect SSH logins (the best use of this module), add an entry for pam_abl.so module to /etc/pam.d/sshd :

#%PAM-1.0

auth required pam_abl.so config=/etc/security/pam_abl.conf

auth include system-auth

account include system-auth

password include system-auth

session include system-auth

session required pam_loginuid.so


The file /etc/security/pam_abl.conf is installed by the pam_abl RPM and contains this configuration:

# /etc/security/pam_abl.conf

# debug

host_db=/var/lib/abl/hosts.db

host_purge=2d

host_rule=*:10/1h,30/1d

user_db=/var/lib/abl/users.db

user_purge=2d

user_rule=!root:10/1h,30/1d


The host_rule line controls which hosts may be blacklisted and the number of failed login attempts that must be registered before blacklisting; the default configuration specifies that any host ( * ) may be blacklisted for more than 10 login failures in one hour ( 10/1h ), or more than 30 login failures in one day ( 30/1d ). The user_rule line similarly blacklists any user except root ( !root ) who has 10 failed login attempts in one hour or 30 failed login attempts in one day.

The host_purge and user_purge lines configure how quickly a blacklist entry is revoked; the default for both is two days.

When a login failure is recorded, the pam_abl.so module updates its database. You can query the database using the pam_abl command:

# pam_abl

Failed users:

 

Failed hosts:

 


Initially, no failed login attempts are recorded. As login failures occur, pam_abl will count and report them (in parenthesis):

# pam_abl

Failed users:

 jane (1)

  Not blocking

Failed hosts:

 darkday (1)

  Not blocking


Eventually, access from the host or user will be blocked:

# pam_abl

Failed users:

 jane (11)

  Blocking users [!root]

Failed hosts:

 darkday (11)

  Blocking users [*]


To re-enable access from a specific host or by a specific user, use the --okhost or --okuser arguments to pam_abl :

# pam_abl --okhost darkday

# pam_abl

Failed users:

 jane (11)

  Blocking users [!root]

Failed hosts:

 


8.6.1.2. Adding a PAM module: restricting access by time and user | Fedora Linux | 8.6.1.4. PAM and consolehelper