Use Pam_Abl to protect SSH against brute force attacks

Almost all unix and linux servers run the ssh server, which allows administrators to securely remotely access the server. However, unfortunately, recent attacks against ssh services are very common. This article describes how to use the pam_abl plug-in of the ssh plug-in authorization module (pam) to protect the machines running the ssh service from brute force attacks.

You can download and compile the pam_abl module, or download and install a binary archive. If you want to compile this module, you can download the source code and collect information about how to compile it on the pam_abl homepage. To configure pam_abl on ubuntu dapper, edgy server, and pc, you can load a customized roman balitsky archive to the/etc/apt/sources. list file:

Deb http://ubuntu.tolero.org/dapper main (for dapper)
Deb http://ubuntu.tolero.org/edgy main (for edgy)
 

After the installation source is added, update the list, install pam_abl, and restart the ssh server:

 

Sudo apt-get update
Sudo apt-get install libpam-abl
Sudo/etc/init. d/ssh restart
 

Next, you can configure pam_abl in the/etc/security/pam_abl.conf file:

#/Etc/security/pam_abl.conf
Host_db =/var/lib/abl/hosts. db
Host_purge = 2d
Host_rule = *: 3/1 h, 30/1 d
User_db =/var/lib/abl/users. db
User_purge = 2d
User_rule =! Root: 3/1 h, 30/1 d
 

The second and fifth rows display the storage location of the List of blocked users and hosts. The third and sixth rows set the refresh time of the ban. In this example, the system will refresh the host and user sealing rules within two days. Lines 4 and 7 are host and user rules. Let's analyze them in detail.

The file configuration method is as follows:

Host/user_rule =  

Therefore, the fourth line indicates that all hosts that have entered incorrect authentication for more than three times in the last hour are blocked, or all hosts that have tried more than 30 times in the last day.

The rules in the seventh row indicate that except the user root directory ("! Root "to), block all users who enter the wrong password three times in an hour or attempt more than 30 times in a day.

You can also use definitions to protect selected users. Assume that you need to protect anze, dasa, kimzet, and madison users. The configuration method is as follows:

Anze | dasa | kimzet | madison: 20/1 h
 

If the number of Logon failures of these four users reaches 20 in an hour, the user will be banned.

For more options and trigger settings, see the pam_abl homepage.

Test

To test your settings, open a terminal on the target to view/var/log/auth. log File, try logging on to the server with the wrong password three times, and check whether the pam_abl plug-in blocks you. If it is blocked, take the madison user as an example. The logon file is as follows:

 

Pam_abl [6248]: blocking access from sataras.example.com to service ssh, user madison
 

This indicates that the madison user on the target host is banned for 2 days.

You can use the following pam_abl statement to view banned users and hosts at any time:

~ $ Sudo pam_abl
Failed users:
Madison (3)
Blocking users [! Root]
Failed hosts:
Sataras.example.com (3)
Blocking users [*]
 

Conclusion

You can use many methods to protect your machine from hacker attacks, including modifying the ssh listening port, and using iptables and tcp wrappers to define the hosts allowed to connect to the ssh service. The pam_abl module can be used to protect the ssh server from brute force attacks. However, you must be careful when configuring this module so that hackers do not lock yourself out of your server.

========================================================== =====

Author: stonelion

Source: linux.com

Http://security.linux.com/article.pl? Sid = 07/03/20/2043209

(T003)

[Related materials]

"Brute force attack"-http://en.wikipedia.org/wiki/brute_force_attack

"Pam_abl"-http://sourceforge.net/projects/pam-abl

"Pam"-http://www.faqs.org/docs/linux-howto/user-authentication-howto.html#aen101

"Download this source code"-http://sourceforge.net/project/showfiles.php? Group_id = 148927

"Home"-http://www.hexten.net/pam_abl/

"Roman balitsky"-http://tech.tolero.org/blog/en/

"Description Homepage"-html "> http://www.hexten.net/assets/pam_abl_doc/index.html