- Apache (9)
- DNS / BIND (2)
- General Linux (7)
- Mail (8)
- Postfix (1)
- Qmail (4)
- Sendmail (3)
- MySQL (7)
- News (1)
- Other (2)
- Perl (1)
- PHP (5)
- Plesk (13)
- Redhat Linux (8)
- Ruby (1)
- Scripts (4)
- Security (4)
- iptables (2)
TopicNavigationUser login |
Brute-force login prevention via pam_ablpam_abl (the pam auto blacklist module) is a great way to protect against brute force attacks. It works by keeping track of failed login attempts, and blacklisting hosts (and/or users) that exceed a specified number of failed logins. This will not actually prevent them from ATTEMPTING to log in, but even if they enter the correct password after being blacklisted, they will be denied access (the upshot of this is that it gives no indication that they have been blacklisted, and as long as they continue attempting to log in, they will ensure that they remain blacklisted). It works for anything that uses pam authentication (generally ftp, mail, and shell access). I've had great luck installing via rpm (you should be able to find them on your favorite rpm repository... Dag Wieers' repository or rpmfind.net are both useful!), using the appropriate FC version on RHEL. I imagine that if you have a desire to install via tarball, you can probably figure out the installation yourself, as it's not very challenging. After downloading and installing the appropriate rpm, you'll need to edit your pam config to include pam_abl... I recommend adding the following line to /etc/pam.d/system-auth: auth required /lib/security/$ISA/pam_abl.so config=/etc/security/pam_abl.conf e.g. #%PAM-1.0 auth required /lib/security/$ISA/pam_env.so auth required /lib/security/$ISA/pam_abl.so config=/etc/security/pam_abl.conf auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth required /lib/security/$ISA/pam_deny.so account required /lib/security/$ISA/pam_unix.so password required /lib/security/$ISA/pam_cracklib.so retry=3 type= password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow password required /lib/security/$ISA/pam_deny.so session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so Note that the location in the config file DOES make a difference! Then edit /etc/security/pam_abl.conf to contain the appropriate configuration (see the documentation for full details). Here is a simple config: host_db=/var/lib/abl/hosts.db host_purge=7d host_rule=*:4/1h,7/1d user_db=/var/lib/abl/users.db user_purge=7d user_rule=!jon:3/1h,3/1d This will blacklist any host with 4 failed login attempts in 1 hour, or 7 failed login attempts in one day, and keep them blacklisted for 1 day after the last failed login attempt. It will also blacklist any users with 3 failed logins in one day (other than the 'jon' user). These numbers can obviously be changed to fit your needs. You can view information on attacks and denied users/hosts with the 'pam_abl' command ('pam_abl --help' gives you good info on usage). |
Linux JournalSlashdot |
