Using PAM to Block Brute Force Attacks

3-minute read

The idea to use PAM (Pluggable Authentication Modules for Linux) to block brute force attacks sounds like a good idea, right? After all, we are using PAM for most of the authentications mechanisms, so adding a module to check against repeated failures would be great. Surprisingly even if this sounded like something normal, I found only one PAM module that was written for this purpose. This is called pam_abl and you can find it here: http://hexten.net/pam_abl

In order to use pam_abl we first need to install it on our system. Unfortunately this is not available in any Linux distribution as a precompiled package, so the only way to install it is from sources. The installation is not complicated just that this will make updates more complicated. Let me show you the steps needed to install pam_abl on Debian (on other distributions it should be similar with some paths changed).

First we need to download the source from: http://sourceforge.net/project/showfiles.php?group_id=148927 We need to have pam and libdb development libraries in order to compile the module. In case you don’t have them already on Debian install them using:

apt-get install libpam0g-dev libdb4.4-dev

Now all we have to do is compile the module after uncompressing it in a temporary folder:

make install

and copy the sample configuration file to /etc/security/:

cp conf/pam_abl.conf /etc/security

That’s it… Not complicated at all. Now in order to show you how this module can block brute force attacks against ssh I have added to my ssh pam config a line to call the pam_abl module. After this the file looks like:

# /etc/pam.d/ssh:
auth       required     pam_env.so # [1]
auth    required        /lib/security/pam_abl.so config=/etc/security/pam_abl.conf
@include common-auth
@include common-account
@include common-session
##session    optional     pam_motd.so # [1]
session    optional     pam_mail.so standard noenv # [1]
session    required     pam_limits.so
@include common-password

I have changed the configuration file (pam_abl.conf) to block only offending hosts, and not users to not cause some DOS on my existing users by random scans. This is how the pam_abl config file looks like after my changes:

# /etc/security/pam_abl.conf:
host_db=/var/lib/abl/hosts.db
host_purge=2d
host_rule=*:3/1h
#user_db=/var/lib/abl/users.db
#user_purge=2d
#user_rule=!root:10/1h,30/1d

Basically this will block any user coming from any host (symbolized by * ) after 3 failed login attempts in 1h. You should check the author’s documentation for more details about the syntax of the configuration file.

Any host trying to brute force my testing ssh server will be blocked after 3 failed attempts and in the system logs (/var/log/auth.log on Debian for authentication events) we can see:

sshd[6892]: Failed password for root from 192.168.0.103 port 40235 ssh2
sshd[6892]: Failed password for root from 192.168.0.103 port 40235 ssh2
sshd[6892]: (pam_unix) 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.103  user=root
sshd[6900]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.103 user=root
sshd[6900]: Failed password for root from 192.168.0.103 port 40236 ssh2
** pam_abl[6909]:Blocking access from 192.168.0.103 to service ssh, user root**

After this the server will continue to respond to authentication request to the offending host, but it will fail them even if they match the proper password.

References:
http://hexten.net/pam_abl
http://hexten.net/assets/pam_abl_doc/index.html

Return to the main page: How to Block Brute Force Attacks

comments powered by Disqus