1PAM_ABL(8) Linux-PAM Manual PAM_ABL(8)
2
6 pam_abl - PAM Auto Blacklist Module
7
9 Provides auto blacklisting of hosts and users responsible for repeated
10 failed authentication attempts. Generally configured so that
11 blacklisted users still see normal login prompts but are guaranteed to
12 fail to authenticate.
13 This functionality is only available to services which call PAM as
15 root. If pam_abl is called for uid != 0 it will silently succeed.
16
18 Brute force password discovery attacks involve repeated attempts to
19 authenticate against a service using a dictionary of common passwords.
20 While it is desirable to enforce strong passwords for users this is not
21 always possible and in cases where a weak password has been used brute
22 force attacks can be effective.
23 The pam_abl module monitors failed authentication attempts and
25 automatically blacklists those hosts (and accounts) that are
26 responsible for large numbers of failed attempts. Once a host is
27 blacklisted it is guaranteed to fail authentication even if the correct
28 credentials are provided.
29 Blacklisting is triggered when the number of failed authentication
31 attempts in a particular period of time exceeds a predefined limit.
32 Hosts which stop attempting to authenticate will, after a period of
33 time, be un-blacklisted.
34 Commands can be specified which will be run when a host or user
36 switches state from being blocked to clear or clear to blocked. See
37 below or the pam_abl.conf(5) manpage for the details.
38 If pam_abl is called for uid != 0 it will silently succeed. If this was
40 not the case it would be possible for a malicious local user to poison
41 the pam_abl data by, for example, discovering the names of the hosts
42 from which root typically logs in and then constructing PAM
43 authentication code to lock out root login attempts from those hosts.
44
46 Name Arguments Description
47 debug None Enable debug output
49 to syslog.
50 expose_account None Ignored
52 no_warn None Disable warnings
54 which are otherwise
55 output to syslog.
56 try_first_pass None
57 Ignored
58 use_first_pass None Ignored
60 use_mapped_pass None Ignored
62 config Path to the The configuration
69 configuration file. file contains
70 additional
71 arguments. In order
72 for the pam_abl
73 command line tool
74 to work correctly
75 most of the
76 configuration
77 should be placed in
78 the config file
79 rather than being
80 provided by
81 arguments. The
82 format of the
83 config file is
84 described below.
85 limits Minimum and maximum It’s value should
87 number of attempts have the following
88 to keep. syntax
89 "<minimum>-<maximum>".
90 If you do not block
91 machines that do
92 too many attempts,
93 the db can easily
94 become bloated. To
95 prevent this we
96 introduced this
97 setting. As soon as
98 there are a
99 <maximum> number of
100 attempts for a
101 user/host, the
102 number of stored
103 attempts is reduced
104 to <minimum>. A
105 <maximum> of 0
106 means no limits.
107 Make sure that
108 <minimum> is larger
109 then any rule
110 specified. We
111 recommend a value
112 of "1000-1200".
113 db_home Directory for db Path to a directory
115 locking and logging where Berkeley DB can
116 files. place it’s locking and
117 logging files. Make
118 sure this dir is
119 writable.
120 host_db Path to host Path to the Berkeley
122 database file. DB which is used to
123 log the host
124 responsible for failed
125 authentication
126 attempts.
127 host_purge Purge time for the Defines how long
135 host database. failed hosts are
136 retained in the host
137 database. Defaults to
138 1 day.
139 host_rule Rule for host The rule (see below
141 blacklisting. for format) which
142 defines the conditions
143 under which a failed
144 hosts will be
145 blackisted.
146 host_whitelist Host that do not ;-seperated list of
148 need to be tracked. host that do not need
149 to be tracked. You can
150 specify single IP
151 addresses here or use
152 subnets. For example
153 1.1.1.1 or 1.1.1.1/24
154 host_blk_cmd Host block command Deprecated for
156 security reasons.
157 Please use
158 host_block_cmd
159 host_clr_cmd Host clear command Deprecated for
161 security reasons.
162 Please use
163 host_clear_cmd
164 host_block_cmd Host block command Command that should be
166 run when a host is
167 checked, and is
168 currently blocked.
169 Within the command,
170 the strings %u, %h and
171 %s are substituted
172 with username, host
173 and service. Not all
174 need to be used.
175 Please see the manpage
176 of pam_abl.conf for
177 the correct syntax.
178 host_clear_cmd Host clear command Command that should be
180 run when a host is
181 checked, and is
182 currently clear.
183 Within the command,
184 the strings %u, %h and
185 %s are substituted
186 with username, host
187 and service. Not all
188 need to be used.
189 Please see the manpage
190 of pam_abl.conf for
191 the correct syntax.
192 user_db Path to user Path to the Berkeley
201 database file. DB which is used to
202 log the user
203 responsible for failed
204 authentication
205 attempts.
206 user_purge Purge time for the Defines how long
208 user database. failed users are
209 retained in the user
210 database. Defaults to
211 1 day.
212 user_rule Rule for user The rule (see below
214 blacklisting. for format) which
215 defines the conditions
216 under which a failed
217 users will be
218 blackisted.
219 user_whitelist Users that do not ;-seperated list of
221 need to be tracked. users whose attempts
222 do not need to be
223 recorded. This does
224 not prevent the
225 machine they are using
226 from being blocked.
227 user_blk_cmd User block command Deprecated for
229 security reasons.
230 Please use
231 user_block_cmd
232 user_clr_cmd User clear command Deprecated for
234 security reasons.
235 Please use
236 clear_block_cmd
237 user_blk_cmd User block command Command that should be
239 run when a user is
240 checked, and is
241 currently blocked.
242 Within the command,
243 the strings %u, %h and
244 %s are substituted
245 with username, host
246 and service. Not all
247 need to be used.
248 user_clr_cmd User block command Command that should be
250 run when a user is
251 checked, and is
252 currently clear.
253 Within the command,
254 the strings %u, %h and
255 %s are substituted
256 with username, host
257 and service. Not all
258 need to be used.
259
262 Typically pam_abl.so is added to the auth stack as a required module
263 just before whatever modules actually peform authentication. Here’s a
264 fragment of the PAM config for a production server that is running
265 pam_abl:
266 auth required /lib/security/pam_env.so auth required
268 /lib/security/pam_abl.so config=/etc/security/pam_abl.conf auth
269 sufficient /lib/security/pam_unix.so likeauth nullok auth required
270 /lib/security/pam_deny.so
271 Although all of accepted arguments can be supplied here they will
273 usually be placed in a separate config file and linked to using the
274 config argument as in the above example. The pam_abl command line tool
275 reads the external config file (/etc/security/pam_abl.conf in this
276 case) to find the databases so in order for it work correctly an
277 external config should be used.
278
280 auth required /lib/security/pam_env.so
281 auth required /lib/security/pam_abl.so config=/etc/security/pam_abl.conf
282 auth sufficient /lib/security/pam_unix.so likeauth nullok
283 auth required /lib/security/pam_deny.so
284
286 pam_abl.conf(5), pam_abl(1)
287
289 Lode Mertens <pam-abl@danta.be>
290 Andy Armstrong <andy@hexten.net>
292 Chris Tasma <pam-abl@deksai.com>
294
296 Chris Tasma
297 Author.
298GNU 07/25/2019 PAM_ABL(8)