Tip of the Trade: Meet PAM

by Carla Schroder

Use Pluggable Authentication Modules (aka PAM) to block brute-force attacks.

We've talked a lot about tools for cutting off brute-force login attacks recently, such as DenyHosts and Fail2ban. And here we are again, with yet another one. Why so many? Because each one is a bit different and meets different needs. DenyHosts and Fail2ban prevent offending hosts from getting to a login prompt.

Today's Tip uses PAM (Pluggable Authentication Modules), which is the core Linux authentication mechanism, to lock out offending hosts. Like DenyHosts and Fail2ban, PAM monitors failed authentication attempts, and after meeting the criteria you've configured, blocks the bad hosts even if they present good credentials. This prevents an attacker who guesses the correct login and password from logging in.

To make this work requires the PAM Auto-blacklist module, or pam_abl, by Andy Armstrong. pam_abl has a few rough edges: You need to compile it from source code, and you must first edit two Makefiles: the one in the distribution directory, and the one in the tools directory to include correct filepaths for your system. These are very short Makefiles and it's easy to see what needs to be changed, as this example shows:

LIBS=-ldb -lpthread
OBJ=pam_abl.o log.o config.o rule.o
Then run these commands from the distribution directory to install it:
# make install
# cp conf/pam_abl.conf /etc/security
Then use it with your auth statements in your /etc/pam.d/ files:
auth  required  /lib/security/pam_abl.so config=/etc/security/pam_abl.conf
The pam_abl configuration file, /etc/security/pam_abl.conf, comes with a default configuration that is fine for testing. It uses the standard PAM configuration options and commands, so it's easy to modify. See the pam_abl manual page for instructions, and learn more about PAM with Pulling The Covers Off Linux PAM.

Carla Schroder's Tip of the Trade appears every Tuesday.

This article was originally published on Tuesday Aug 22nd 2006
Mobile Site | Full Site