Automatic Blacklisting with PAM

Description

This page covers how to install and set up Automatic Blacklisting using PAM and the module pam_abl.

Prerequisites

  • An recent Ubuntu server.
  • pam_abl (see below)

Installation

To install the pam_abl Library module run the following command.
sudo apt-get install libpam-abl

Configuration

To enable the pam_abl module with SSH, you need to have SSH enabled for PAM (this should be the default for most Ubuntu installs. Verify UsePAM is set to yes in /etc/ssh/sshd_config.
sudo nano /etc/ssh/sshd_config
If not, change is as per below.
UsePAM yes
Next, you should review the pam_abl configuration.
sudo nano /etc/security/pam_abl.conf
The default configuration should work for most people. For my setup, I added a local user (johndoe) account to the whitelist.
db_home=/var/lib/abl
host_db=/var/lib/abl/hosts.db
host_purge=1d
host_rule=*:30/1h
user_db=/var/lib/abl/users.db
user_purge=1d
user_rule=*/sshd:5/1h
host_clear_cmd=[logger] [clear] [host] [%h]
host_block_cmd=[logger] [block] [host] [%h]
user_clear_cmd=[logger] [clear] [user] [%u]
user_block_cmd=[logger] [block] [user] [%u]
limits=1000-1200
host_whitelist=localhost
user_whitelist=johndoe
Once you have finalized your config, restart the SSH Server to ensure that PAM and the module are being used by SSH.
sudo service ssh restart

Testing

Try and connect to the server.
ssh janedoe@localhost
If all is configured correctly, you should be prompted to authenticate. Enter an incorrect user/password several times and then run pam_abl to see the results of the failed attempts.
sudo pam_abl
You should be presented with a similar response to below.
Failed users:
 janedoe (3)
  Not blocking
Failed hosts:
 127.0.0.1 (3)
  Not blocking
Review the man page for more details on using pam_abl.

References

http://pam-abl.sourceforge.net/
https://www.linux.com/news/protect-ssh-brute-force-attacks-pamabl