Installing pam_abl to block brute force SSH attempts on Linux


December 16th, 2008

pam_abl is a great tool to mitigate SSH bruteforce attacks on a server. It works by monitoring remote hosts trying to authenticate via PAM, and silently failing attempts from a given host (or for a certain user) if the number of failed attempts has exceeded a given threshold. Unlike other techniques like fail2ban, the brute forcer (if they are even human) will not realise you're blocking them. It also works in realtime.

Unfortunately, it's not in the repository of many distros anymore (at least not Debian and Ubuntu). You can still install it by hand reasonably easily. These instructions apply to Debian, but are pretty generic and should work with a little tweaking on any distro.

  1. Install the required tools: gcc, libpam0g-dev, libdb-dev (likely any 4.x version would work)
  2. Download the .tar.gz from the official project.
  3. Extract: tar xzf pam_abl-0.2.3.tar.gz
  4. Compile: cd pam_abl; make
  5. Install: sudo make install
  6. Create the configuration file in /etc/security/pam_abl.conf. I use something like the below. You can read more about the available options in the doc/ folder of the .tar.gz:
    7. host_db=/var/lib/abl/hosts.db
host_purge=1d
host_rule=*:10/1h,30/1d
  7. Add pam_abl to SSH'd PAM stack. Edit /etc/pam.d/sshd and add this line right before real authentication begins (usually the reference to pam_unix). See the documentation for more info again:
    8. auth	required	pam_abl.so config=/etc/security/pam_abl.conf
  8. Enjoy your SSH bruteforce protected server!

A few other tips:

  • You should manually run pam_abl --purge every day or so, it doesn't seem to purge automatically all the time.
  • You can add pam_abl to the PAM stack of other applications if you want, it works the same way.
  • You can see the contents of the pam_abl database with the program pam_abl. A useful trick to see all currently blocked hosts: pam_abl | grep --before-context=1 "*"
  • If the database gets too large pam_abl will stop working properly. Make sure you set a sane purge rule.
  • Remember you don't need to be very aggressive to catch 99.9% of bruteforce attempts.
Comment (0)

Leave a Reply

Name (required)

Email (required)

Website

Speak your mind

Misc