1PAM_ABL.CONF(5) Linux-PAM Manual PAM_ABL.CONF(5)
2
6 pam_abl.conf - Configuration file for pam_abl PAM module.
7
9 Configuration file for both the pam_abl(8) PAM module, and the
10 pam_abl(1) command line tool.
11
13 Syntax
14 word ::= /[^\s\|\/\*]+/
15 name ::= word | '*'
16 username ::= name
17 servicename ::= name
18 userservice ::= username
19 | username '/' servicename
20 namelist ::= userservice
21 | userservice '|' namelist
22 userspec ::= namelist
23 | '!' namelist
24 multiplier ::= 's' | 'm' | 'h' | 'd'
25 number ::= /\d+/
26 period ::= number
27 | number multiplier
28 trigger ::= number '/' period
29 triglist ::= trigger
30 | trigger ',' triglist
31 userclause ::= userspec ':' triglist
32 rule ::= userclause
33 | userclause /\s+/ rule
34 Rule syntax
36 Each rule consists of a number of space separated user clauses. A user
37 clause specifies the user (and service) names to match and a set of
38 triggers. A simple example would be
39 *:10/1h
41 which means block any user () if they are responsible for ten or more
43 failed authentication attempts in the last hour. In place of the which
44 matches any user a list of usernames can be supplied like this
45 root|dba|admin:10/1h
47 which means block the users root, dba and admin if they are responsible
49 for ten or more failed authentication attempts in the last hour. You
50 can also specify a service name to match against like this
51 root/sshd|dba/*:3/1d
53 which means block the users root for service 'sshd and dba for any
55 service if they are responsible for three or more failed authentication
56 attempts in the last day'. Finally you can specify multiple triggers
57 like this
58 root:10/1h,20/1d
60 which means 'block the user root if they are responsible for ten or
62 more failed attempts in the last hour or twenty or more failed attempts
63 in the last day.
64 Multiple rules can be provided separated by spaces like this
66 *:10/1h root:5/1h,10/1d
68 in which case all rules that match a particular user and service will
70 be checked. The user or host will be blocked if any of the rule
71 triggers matches. The sense of the user matching can be inverted by
72 placing a ! in front of the rule so that
73 !root:20/1d
75 is a rule which would match for all users apart from root. It is
77 important to treat root as a special case in the user_rule otherwise
78 excessive attempts to authenticate as root will result in the root
79 account being locked out even for valid holders of root credentials.
80 The config file can contain any arguments that would be supplied via
81 PAM config. In the config file arguments are placed on separate lines.
82 Comments may be included after a # and line continuation is possible by
83 placing a back slash at the end of the line to be continued. Here is a
84 sample /etc/security/pam_abl.conf:
85 # /etc/security/pam_abl.conf
87 debug
88 host_db=/var/lib/abl/hosts.db
89 host_purge=2d
90 host_rule=*:10/1h,30/1d
91 user_db=/var/lib/abl/users.db
92 user_purge=2d
93 user_rule=!root:10/1h,30/1d
94 All of the standard PAM arguments (debug, expose_account, no_warn,
96 try_first_pass, use_first_pass, use_mapped_pass) are accepted; with the
97 exception of debug and no_warn these are ignored.
98 The arguments that are specific to the PAM module are as follows:
100 db_home
102 Specify the directory where the Berkeley db can store it’s lock and
103 log files. Make sure this dir exists and is writable.
104 limits
106 It’s value should have the following syntax "<minimum>-<maximum>".
107 If you do not block machines that do too many attempts, the db can
108 easily become bloated. To prevent this we introduced this setting.
109 As soon as there are a <maximum> number of attempts for a
110 user/host, the number of stored attempts for this user/host is
111 reduced to <minimum>. A <maximum> of 0 means no limits. Make sure
112 that <minimum> is larger then any rule specified. We recommend a
113 value of "1000-1200".
114 host_db, user_db
116 Specify the name of the databases that will be used to log failed
117 authentication attempts. The host database is used to log the
118 hostname responsible for a failed auth and the user database is
119 used to log the requested username. If host_db or user_db is
120 omitted the corresponding auto blacklisting will be disabled.
121 host_purge, user_purge
123 Specify the length of time for which failed attempts should be kept
124 in the databases. For rules to work correctly this must be at least
125 as long as the longest period specified in a corresponding rule.
126 You may wish to retain information about failed attempts for longer
127 than this so that the pam_abl command line tool can report
128 information over a longer period of time. The format for this item
129 is a number with an optional multiplier suffix, s, m, h or d which
130 correspond with seconds, minutes, hours and days. To specify seven
131 days for example one would use 7d. Note that in normal operation
132 pam_abl will only purge the logged data for a particular host or
133 user if it happens to be updating it, i.e. if that host or user
134 makes another failed attempt. To purge all old entries the pam_abl
135 command line tool should be used.
136 host_rule, user_rule
138 These are the rules which determine the circumstances under which
139 accounts are auto-blacklisted. The host_rule is used to block
140 access to hosts that are responsible for excessive authentication
141 failures and the user_rule is used to disable accounts for which
142 there have been excessive authentication failures. The rule syntax
143 is described in full below.
144 host_clr_cmd, host_blk_cmd, user_clr_cmd, user_blk_cmd
146 Deprecated for security reasons. Please use the corresponding safer
147 option: host_clear_cmd, host_block_cmd, user_clear_cmd,
148 user_block_cmd
149 host_clear_cmd, host_block_cmd, user_clear_cmd, user_block_cmd
151 These specify commands that will run during a check when an item
152 switches state since its last check.
153 host_clear_cmd and user_clear_cmd will run if the host or user is
155 currently allowed access. host_block_cmd and user_block_cmd are run
156 if the host or user is currently being blocked by their respective
157 rules.
158 Within the commands, you can specify substitutions with %h, %u and
160 %s, which will be replace with the host name, user name and service
161 currently being checked. For security reasons we do not run the
162 command using the system call. We use the more secure fork/exec
163 solution. This means that you can’t specify input and output
164 redirections.
165 Note that this also means that no escaping is done, so if you call
167 a shell here, you might introduce a security problem.
168 The commands should follow a special syntax (you can use the
170 command line tool with the -d option to test the parsing of your
171 commands) where the command and it’s different arguments need to be
172 enclosed in [] and all text not enclosed in [] is simply ignored.
173 For example: "[/usr/bin/logger] ignored [block] [user] [%u]" will
174 run the command "/usr/bin/logger block user <current user>". If you
175 want to specify a [, ] or \, you need to escape them with a \.
176 host_whitelist, user_whitelist
178 ;-seperated list of hosts/users whose attempts will not be
179 recorded. So if an attempt is made from "10.10.10.10" for user
180 "root" and "root" is in the whitelist, only an attempt for his
181 machine is recorded. If a user is whitelisted, this does not
182 prevent his machine from being blocked. Hosts can be specified
183 using their IP (1.1.1.1) or using a netmask (1.1.1.1/24)
184
186 # /etc/security/pam_abl.conf
187 debug
188 host_db=/var/lib/abl/hosts.db
189 host_purge=2d
190 host_rule=*:10/1h,30/1d
191 host_block_cmd=[/sbin/iptables] [-I] [INPUT] [-s] [%h] [-j] [DROP]
192 user_db=/var/lib/abl/users.db
193 user_purge=2d
194 user_rule=!root:10/1h,30/1d
195 user_clear_cmd=[/usr/bin/logger] [block] [user] [%u]
196
198 pam_abl.conf(5), pam_abl(1)
199
201 Lode Mertens <pam-abl@danta.be>
202 Andy Armstrong <andy@hexten.net>
204 Chris Tasma <pam-abl@deksai.com>
206
208 Chris Tasma
209 Author.
210GNU 07/22/2022 PAM_ABL.CONF(5)