1PAM_ABL(8)                     Linux-PAM Manual                     PAM_ABL(8)
2
3
4

NAME

6       pam_abl - PAM Auto Blacklist Module
7

SYNOPSIS

9       Provides auto blacklisting of hosts and users responsible for repeated
10       failed authentication attempts. Generally configured so that
11       blacklisted users still see normal login prompts but are guaranteed to
12       fail to authenticate.
13
14       This functionality is only available to services which call PAM as
15       root. If pam_abl is called for uid != 0 it will silently succeed.
16

DESCRIPTION

18       Brute force password discovery attacks involve repeated attempts to
19       authenticate against a service using a dictionary of common passwords.
20       While it is desirable to enforce strong passwords for users this is not
21       always possible and in cases where a weak password has been used brute
22       force attacks can be effective.
23
24       The pam_abl module monitors failed authentication attempts and
25       automatically blacklists those hosts (and accounts) that are
26       responsible for large numbers of failed attempts. Once a host is
27       blacklisted it is guaranteed to fail authentication even if the correct
28       credentials are provided.
29
30       Blacklisting is triggered when the number of failed authentication
31       attempts in a particular period of time exceeds a predefined limit.
32       Hosts which stop attempting to authenticate will, after a period of
33       time, be un-blacklisted.
34
35       Commands can be specified which will be run when a host or user
36       switches state from being blocked to clear or clear to blocked. See
37       below or the pam_abl.conf(5) manpage for the details.
38
39       If pam_abl is called for uid != 0 it will silently succeed. If this was
40       not the case it would be possible for a malicious local user to poison
41       the pam_abl data by, for example, discovering the names of the hosts
42       from which root typically logs in and then constructing PAM
43       authentication code to lock out root login attempts from those hosts.
44

OPTIONS

46       Name              Arguments             Description
47
48       debug             None                  Enable debug output
49                                               to syslog.
50
51       expose_account    None                  Ignored
52
53       no_warn           None                  Disable warnings
54                                               which are otherwise
55                                               output to syslog.
56                                               try_first_pass None
57                                               Ignored
58
59       use_first_pass    None                  Ignored
60
61       use_mapped_pass   None                  Ignored
62
63
64
65
66
67
68       config            Path to the           The configuration
69                         configuration file.   file contains
70                                               additional
71                                               arguments. In order
72                                               for the pam_abl
73                                               command line tool
74                                               to work correctly
75                                               most of the
76                                               configuration
77                                               should be placed in
78                                               the config file
79                                               rather than being
80                                               provided by
81                                               arguments. The
82                                               format of the
83                                               config file is
84                                               described below.
85
86       limits            Minimum and maximum   It’s value should
87                         number of attempts    have the following
88                         to keep.              syntax
89                                               "<minimum>-<maximum>".
90                                               If you do not block
91                                               machines that do
92                                               too many attempts,
93                                               the db can easily
94                                               become bloated. To
95                                               prevent this we
96                                               introduced this
97                                               setting. As soon as
98                                               there are a
99                                               <maximum> number of
100                                               attempts for a
101                                               user/host, the
102                                               number of stored
103                                               attempts is reduced
104                                               to <minimum>. A
105                                               <maximum> of 0
106                                               means no limits.
107                                               Make sure that
108                                               <minimum> is larger
109                                               then any rule
110                                               specified. We
111                                               recommend a value
112                                               of "1000-1200".
113
114       db_home           Directory for db      Path to a directory
115                         locking and logging   where Berkeley DB can
116                         files.                place it’s locking and
117                                               logging files. Make
118                                               sure this dir is
119                                               writable.
120
121       host_db           Path to host          Path to the Berkeley
122                         database file.        DB which is used to
123                                               log the host
124                                               responsible for failed
125                                               authentication
126                                               attempts.
127
128
129
130
131
132
133
134       host_purge        Purge time for the    Defines how long
135                         host database.        failed hosts are
136                                               retained in the host
137                                               database. Defaults to
138                                               1 day.
139
140       host_rule         Rule for host         The rule (see below
141                         blacklisting.         for format) which
142                                               defines the conditions
143                                               under which a failed
144                                               hosts will be
145                                               blackisted.
146
147       host_whitelist    Host that do not      ;-seperated list of
148                         need to be tracked.   host that do not need
149                                               to be tracked. You can
150                                               specify single IP
151                                               addresses here or use
152                                               subnets. For example
153                                               1.1.1.1 or 1.1.1.1/24
154
155       host_blk_cmd      Host block command    Deprecated for
156                                               security reasons.
157                                               Please use
158                                               host_block_cmd
159
160       host_clr_cmd      Host clear command    Deprecated for
161                                               security reasons.
162                                               Please use
163                                               host_clear_cmd
164
165       host_block_cmd    Host block command    Command that should be
166                                               run when a host is
167                                               checked, and is
168                                               currently blocked.
169                                               Within the command,
170                                               the strings %u, %h and
171                                               %s are substituted
172                                               with username, host
173                                               and service. Not all
174                                               need to be used.
175                                               Please see the manpage
176                                               of pam_abl.conf for
177                                               the correct syntax.
178
179       host_clear_cmd    Host clear command    Command that should be
180                                               run when a host is
181                                               checked, and is
182                                               currently clear.
183                                               Within the command,
184                                               the strings %u, %h and
185                                               %s are substituted
186                                               with username, host
187                                               and service. Not all
188                                               need to be used.
189                                               Please see the manpage
190                                               of pam_abl.conf for
191                                               the correct syntax.
192
193
194
195
196
197
198
199
200       user_db           Path to user          Path to the Berkeley
201                         database file.        DB which is used to
202                                               log the user
203                                               responsible for failed
204                                               authentication
205                                               attempts.
206
207       user_purge        Purge time for the    Defines how long
208                         user database.        failed users are
209                                               retained in the user
210                                               database. Defaults to
211                                               1 day.
212
213       user_rule         Rule for user         The rule (see below
214                         blacklisting.         for format) which
215                                               defines the conditions
216                                               under which a failed
217                                               users will be
218                                               blackisted.
219
220       user_whitelist    Users that do not     ;-seperated list of
221                         need to be tracked.   users whose attempts
222                                               do not need to be
223                                               recorded. This does
224                                               not prevent the
225                                               machine they are using
226                                               from being blocked.
227
228       user_blk_cmd      User block command    Deprecated for
229                                               security reasons.
230                                               Please use
231                                               user_block_cmd
232
233       user_clr_cmd      User clear command    Deprecated for
234                                               security reasons.
235                                               Please use
236                                               clear_block_cmd
237
238       user_blk_cmd      User block command    Command that should be
239                                               run when a user is
240                                               checked, and is
241                                               currently blocked.
242                                               Within the command,
243                                               the strings %u, %h and
244                                               %s are substituted
245                                               with username, host
246                                               and service. Not all
247                                               need to be used.
248
249       user_clr_cmd      User block command    Command that should be
250                                               run when a user is
251                                               checked, and is
252                                               currently clear.
253                                               Within the command,
254                                               the strings %u, %h and
255                                               %s are substituted
256                                               with username, host
257                                               and service. Not all
258                                               need to be used.
259
260

USAGE

262       Typically pam_abl.so is added to the auth stack as a required module
263       just before whatever modules actually peform authentication. Here’s a
264       fragment of the PAM config for a production server that is running
265       pam_abl:
266
267       auth required /lib/security/pam_env.so auth required
268       /lib/security/pam_abl.so config=/etc/security/pam_abl.conf auth
269       sufficient /lib/security/pam_unix.so likeauth nullok auth required
270       /lib/security/pam_deny.so
271
272       Although all of accepted arguments can be supplied here they will
273       usually be placed in a separate config file and linked to using the
274       config argument as in the above example. The pam_abl command line tool
275       reads the external config file (/etc/security/pam_abl.conf in this
276       case) to find the databases so in order for it work correctly an
277       external config should be used.
278

EXAMPLES

280           auth required /lib/security/pam_env.so
281           auth required /lib/security/pam_abl.so config=/etc/security/pam_abl.conf
282           auth sufficient /lib/security/pam_unix.so likeauth nullok
283           auth required /lib/security/pam_deny.so
284

SEE ALSO

286       pam_abl.conf(5), pam_abl(1)
287

AUTHORS

289       Lode Mertens <pam-abl@danta.be>
290
291       Andy Armstrong <andy@hexten.net>
292
293       Chris Tasma <pam-abl@deksai.com>
294

AUTHOR

296       Chris Tasma
297           Author.
298
299
300
301GNU                               01/20/2022                        PAM_ABL(8)
Impressum