DescriptionThis page covers how to install and set up Automatic Blacklisting using PAM and the module pam_abl.
- An recent Ubuntu server.
- pam_abl (see below)
InstallationTo install the pam_abl Library module run the following command.
sudo apt-get install libpam-abl
ConfigurationTo enable the pam_abl module with SSH, you need to have SSH enabled for PAM (this should be the default for most Ubuntu installs. Verify UsePAM is set to yes in /etc/ssh/sshd_config.
sudo nano /etc/ssh/sshd_configIf not, change is as per below.
UsePAM yesNext, you should review the pam_abl configuration.
sudo nano /etc/security/pam_abl.confThe default configuration should work for most people. For my setup, I added a local user (johndoe) account to the whitelist.
db_home=/var/lib/abl host_db=/var/lib/abl/hosts.db host_purge=1d host_rule=*:30/1h user_db=/var/lib/abl/users.db user_purge=1d user_rule=*/sshd:5/1h host_clear_cmd=[logger] [clear] [host] [%h] host_block_cmd=[logger] [block] [host] [%h] user_clear_cmd=[logger] [clear] [user] [%u] user_block_cmd=[logger] [block] [user] [%u] limits=1000-1200 host_whitelist=localhost user_whitelist=johndoeOnce you have finalized your config, restart the SSH Server to ensure that PAM and the module are being used by SSH.
sudo service ssh restart
TestingTry and connect to the server.
ssh janedoe@localhostIf all is configured correctly, you should be prompted to authenticate. Enter an incorrect user/password several times and then run pam_abl to see the results of the failed attempts.
sudo pam_ablYou should be presented with a similar response to below.
Failed users: janedoe (3) Not blocking Failed hosts: 127.0.0.1 (3) Not blockingReview the man page for more details on using pam_abl.