[BlueOnyx:01981] YUM updates: base-console, PAM, CCE, ProFTPd, base-network (+new features)

[Michael Stauber]

Hi all,

Tired about those brute force login attempts against your server(s)?

Well, this time we did something against it and extended BlueOnyx with a 
default mechanism which detects and blocks those attempts.

Don't worry, it will not conflict with any existing install of APF+BFD, Dfix, 
DenyHosts or similar custom tool that you have aboard, as it uses entirely 
different methods. Firewalling offending IPs off is still the best approach, 
but our implementation is quicker upon detecting brute force login attempts 
and has less overhead.

Now this update is somewhat extensive, so this somewhat longer than usual 
message walks you through all need to knows.

The HTML version of this message can be found here:

http://www.blueonyx.it/index.php?mact=News,cntnt01,detail,0&cntnt01articleid=37&cntnt01origid=15&cntnt01returnid=54

---

The following updates for BlueOnyx were released today and are now available 
through YUM:

==========
 Package  
==========

Updating:
 base-console-capstone
 base-console-glue
 base-console-locale-da_DK
 base-console-locale-de_DE
 base-console-locale-en
 base-console-locale-ja
 base-console-ui
 base-network-capstone
 base-network-glue
 base-network-locale-da_DK
 base-network-locale-de_DE
 base-network-locale-en
 base-network-locale-ja
 base-network-ui
 pam
 proftpd
 sausalito-cce-client
 sausalito-cce-server

Transaction Summary
============================
Install      0 Package(s)
Update      18 Package(s)
Remove       0 Package(s)


These package addresses the following issues:

base-console, pam and sausalito-cce-server:
================================

Feature update: This updates accomplish a few things in one go. Most 
importantly it extends BlueOnyx with a basic (but effective) brute force 
password discovery attacks protection trough the implentation of pam_abl.

General explanation:
-------------------------

pam_abl provides auto blacklisting of hosts and (optionally!) users 
responsible for repeated failed authentication attempts.

Brute force password discovery attacks involve repeated attempts to 
authenticate against a service using a dictionary of common passwords. While 
it is desirable to enforce strong passwords for users this is not always 
possible and in cases where a weak password has been used brute force attacks 
can be effective.

The pam_abl module monitors failed authentication attempts and automatically 
blacklists those hosts (and optionally also accounts) that are responsible for 
a configureable numbers of failed attempts. Once a host is blacklisted it is 
guaranteed to fail authentication even if the correct credentials are 
provided.

Blacklisting is triggered when the number of failed authentication attempts in 
a particular period of time exceeds a predefined limit. Hosts which stop 
attempting to authenticate will - after a period of time - be un-blacklisted 
automatically.

Detailed explanation:
--------------------------

Our implementation of pam_abl protects pretty much any network service that 
uses the pluggable authentication mechanism (PAM). On BlueOnyx that includes 
SSH, Telnet, FTP, SMTP-Auth, POP3, IMAP and so on. pam_abl records failed 
logins into a temporary database, which is purged periodically. During such 
purges old entries with no frequent activity are expired. If someone exceeds a 
certain (configurable) amount of failed logins, then anyone from the offending 
IP will be unable to authenticate - even if they try a valid username and 
password combination.

Please note: pam_abl is not a firewall. It just ties into the autentication 
mechanism that all services use and blocks on that level. So if you already 
have some brute force detection mechanism, then this update will not conflict 
with it.

The most visible aspects of this new update are the two new GUI pages under 
"Server Manegement" / "Security". They are called "Failed Logins" and "Login 
Manager".

"Login Manager" allows you to configure the settings of pam_abl. Like how long 
entries without recent activity remain in the database before they are purged 
from it. And more importantly: How many failed authentication attempts trigger 
a lock out of the offending host or (optionally) user. Generally you should 
only block hosts - this is the default.

The "Failed Logins" page shows a list of hosts that had failed password 
attempts. It also shows how many failed login attempts they had, if they are 
currently blocked, or if they (still - or again) are able to login. Like said: 
Bans are temporary and expire after one hour of no further activity from that 
host.

That page also shows you a list of usernames that were used during the failed 
login attempts.

And of course the page allows you to reset all host and/or user bans.

Built in safeguards:
-----------------------

Of course any mechanism to restrict access to the server has the potentical to 
backfire. Users could lock themselves out because they repeatedly login with 
the wrong username and/or password. However, we set reasonable defaults, so 
this should be a rare event. Of course you can change the default values 
through the GUI, or could disable the automatic temporary blocking in general.

At the worst you could lock yourself out, too. So we built in a few safeguards 
which allow you to do something about that - even if you locked yourself out.

Safeguard #1: Regardless if pam_abl has your IP address blocked or not, you 
will always be able to login to the GUI interface with the servers admin 
account. From there you can use the buttons on the "Failed Logins" page to 
reset all blocks - or just the one involving your IP.

Safeguard #2: If the server is rebooted, the pam_abl database and all blocks 
are reset.

Safeguard #3: If you still have acces to the command line of the server (from 
another IP or from a "root" session that is still open), then simply run 
"/etc/init.d/pam_abl stop" to manually initiate a flush of the pam_abl 
database.

Command line usage:
--------------------------

The following new commands allow you to receive a bit more information about 
pam_abl on the command line:

/etc/init.d/pam_abl

Options: start|stop|status|purge

start or stop: Flush the databases, delete all blocks and erase the failed 
login history.

status: Shows detailed information about all recorded events - including date 
and time stamps.

purge: Allows to manually expire events from the database which are older than 
the defined record keeping settings.

/usr/bin/pam_abl

Command line tool of pam_abl. Run it with the -h switch to see all available 
options.

 

ProFTPd:
=======

This update brings ProFTPd to the latest version. Additionally we had to 
modify the autehtication mechanisms of ProFTP a little to make it work with 
pam_abl. Unfortunately this breaks ProFTPd's built in support for 
authentication against LDAP or MySQL. But as those aren't used by default on 
BlueOnyx we considered that acceptable.

Our new ProFTPd also has the custom module mod_ban now compiled in by default.

The mod_ban module is designed to add dynamic "ban" lists to proftpd. A ban 
prevents the banned user, host, or class from logging in to the server; it 
does not prevent the banned user, host, or class from connecting to the 
server. mod_ban is not a firewall. The module also provides automatic bans 
that are triggered based on configurable criteria.

Beyond the protection that pam_abl already provides, mod_ban adds another 
layer of security that can be finely tuned.

To edit the mod_ban settings see /etc/proftpd.conf

Caveats:
-----------

This ProFTPd update is potentially troublesome, because we had to rewrite 
sections of /etc/proftpd.conf in order to make things happen.

The most straightforward way to do this was to simply replace the existing 
/etc/proftpd.conf with a new one and then simply add the required VirtualHost 
containers back with the help of the script 
/usr/sausalito/sbin/fixproftpd_conf.pl.

If you manually made any changes to your ProFTPd configuration, those will 
unfortunately get lost during the upgrade. However, a copy of your old 
proftpd.conf will be kept as /etc/proftpd.conf.pre-1.3.2a

 

base-network:
===========

The GUI page from which you can configure your servers host- and domain name, 
DNS and network related settings had issues when you had more than two network 
cards.

These bugs then prevented you from saving the changes.

That problem has been fixed.


-- 
With best regards

Michael Stauber