Use Pam_Abl to protect SSH against brute force attacks

Almost all Unix and Linux servers run the SSH server, which enables the administrator to securely and remotely visit the server. Unfortunately, recent attacks against SSH services are not common. This article will show you how to use the pam_abl plug-in of the SSH plug-in authorization module (PAM) to protect machines running the SSH service from brute force attacks.

Almost all Unix and Linux servers run the SSH server, which enables the administrator to securely and remotely visit the server. Unfortunately, recent attacks against SSH services are not common. This article describes how to use the pam_abl plug-in of the SSH plug-in authorization module (PAM) to protect the machines running the SSH service from brute force attacks.

You can download and compile the pam_abl module, or download and install a binary archive. If you want to compile this module, you can download the source code and collect information about how to compile it on the pam_abl homepage. If you want to configure pam_abl on the Ubuntu Dapper or Edgy server and PC, you can load a customized Roman Balitsky archive to the/etc/apt/sources. list file:

deb http://ubuntu.tolero.org/ dapper main (for Dapper)deb http://ubuntu.tolero.org/ edgy main (for Edgy)

After the installation source is added, update the list, install pam_abl, and restart the SSH server:

sudo apt-get updatesudo apt-get install libpam-ablsudo /etc/init.d/ssh restart

Next, you can configure pam_abl in the/etc/security/pam_abl.conf file:

#/etc/security/pam_abl.confhost_db=/var/lib/abl/hosts.dbhost_purge=2dhost_rule=*:3/1h,30/1duser_db=/var/lib/abl/users.dbuser_purge=2duser_rule=!root:3/1h,30/1d

The second and fifth lines show the storage status of the list of blocked users and hosts. Row 3 and row 6 set the ban refresh time. In this example, the system will refresh the host and user sealing rules within two days. Lines 4 and 7 identify the host and user rules. let's analyze them in detail.

The file configuration method is as follows:

host/user_rule=
 
  :
  
   /
   
    ,
    
     /
     
    
   
  
 

Therefore, row 4 means to block all hosts that have been mistakenly authenticated for more than three times in the last hour, or all hosts that have tried more than 30 times in the last day.

In addition to the user root directory ("! Other than the user indicated by the root user, the user cannot access the wrong password three times in an hour or attempt more than 30 times in a day by mistake.

You can also use definitions to protect selected users. Assume that you need to protect anze, dasa, kimzet, and madison users. the configuration method is as follows:

In this example, if the number of logon failures of these four users reaches 20 in an hour, the user will be banned.

For more options and trigger settings, see pam_abl clarification homepage.

Test

If you want to test your settings, open a terminal on the target and observe/var/log/auth. log file, try logging on to the server with the wrong password three times, and check whether the pam_abl plug-in blocks you. If it is blocked, take the madison user as an example. the logon file is as follows:

pam_abl[6248]: Blocking access from sataras.example.com to service ssh, user madison

This indicates that the madison user on the target host is banned for 2 days.

You can use the following pam_abl statement to View banned users and hosts at any time:

~$ sudo pam_ablFailed users:madison (3)Blocking users [!root]Failed hosts:sataras.example.com (3)Blocking users [*]

Conclusion

You can use many methods to protect your machine from hacker attacks, including changing the SSH listening port, using iptables and TCP wrappers to define the host that promises to connect to the SSH service, and so on. The application of the pam_abl module can protect the SSH server against brute force attacks. However, you must be cautious when configuring this module so that hackers do not lock yourself out of your server.