[BlueOnyx:02024] Re: pam_abl

Tue Aug 11 13:00:17 -05 2009

Thank you for explaining the pam_abl. Untill now only green lights here so
let's see if I can get any red ones :)

>Hmm ... interesting. Didn't know that. Which browser are you using?
Using IE8 it does not work, Firefox seems to be okay but is missing out on
very many lines of the logfile. If I tail the maillog from the GUI it
ignores many pop-logins and displays the pc time instead of the logtime? The
missing lines could be a expression pattern fault..

Tjerk Hacquebord
---
tjerk at hqmatics.nl
http://www.hqmatics.nl

HQMatics: Software- en websiteontwikkeling

-----Oorspronkelijk bericht-----
Van: blueonyx-bounces at blueonyx.it [mailto:blueonyx-bounces at blueonyx.it]
Namens Michael Stauber
Verzonden: dinsdag 11 augustus 2009 18:41
Aan: BlueOnyx General Mailing List
Onderwerp: [BlueOnyx:02023] Re: pam_abl

Hi Tjerk,

> First, this looks like a very good system to prevent hackers from
> 'guessing' passwords. So thanks for the update!

Many thanks. Yeah, something like that is sure needed.

> Have one question though, my /var/log/messages shows some bans already:
>
> Aug 11 15:55:15 server3 cced(smd)[28921]: client
> 6:handlers/base/console/pam_abl_import.pl: CREATE fail_users blocking = 0
> failcnt = 2 username = oracle
> Aug 11 15:55:15 server3 cced(smd)[28921]: client
> 6:handlers/base/console/pam_abl_import.pl: CREATE succeeded
> Aug 11 15:55:15 server3 cced(smd)[28921]: client
> 6:handlers/base/console/pam_abl_import.pl: CREATE fail_users blocking = 0
> failcnt = 30 username = root

Bans will be logged into /var/log/secure.

What you see in /var/log/messages is just a handler script that runs and 
populates the GUI database CODB with the information about failed login 
activity.

> So there are some username blocks, and some host blocks, right?

Lets put it that way: There is activity. If someone fails one login, his IP 
and the username he used to authenticate will be logged. But he won't be 
banned until he exceeds the number of failed logins that you have specified
to 
trigger the lockout. The default for host bans is 30 failures in 1h. So even

if someone failed just a few times and was still below the threshold that 
triggers a ban, he's still in the database until he eventually drops out of
it 
at the set purge time. But the GUI will show a green light next to the 
account(s) and host(s) if they're not blocked. That light will turn red when

the block is temporary active. A block automatically expires after one hour
of 
no further activity from the offending host.

> In the GUI I only see the username blocks, the host block list is still
> empty
>
> Something to do with this line?
>
> : CREATE fail_hosts failed (-5)

That is correct - that's related to that problem. The database field that 
stores the host bans takes only IP-Addresses - not FQDNs. From my tests so
far 
during the last 10-12 days I was under the impression that pam_abl only
stores 
the IP of the failed hosts in its database. But apparently in your case it 
tried to store FQDNs as well. Protection wise it doesn't matter, as pam_abl 
will block the offender - regardless if it sees the source as FQDN or IP-
address. It's just the GUI that may not show the entire host list of 
offenders.

I'll publish a fix for that sometime tonight.

> And a small suggestion, display the time a user of host was blocked in the
> GUI? Might be usefull if you want to search your logs or something.

Yeah, that's planned and I already added the database fields required for
it. 
As the rest of the code for it takes quite a bit of extra effort I left it
out 
of the first release and put it on the backburner. But it'll come.

For now: If you want to see the date and times of the events, run this from 
the command line:

/etc/init.d/pam_abl status
... or ...
/usr/bin/pam_abl -v

> While I'm at it, the Security -> Logfiles page is giving me Javascript
> errors in ajax.js (Don't really mind cause I don't use it but just to let
> you know it doesn't work properly)

Hmm ... interesting. Didn't know that. Which browser are you using?

-- 
With best regards

Michael Stauber

_______________________________________________
Blueonyx mailing list
Blueonyx at blueonyx.it
http://www.blueonyx.it/mailman/listinfo/blueonyx