[BlueOnyx:09405] pam_abl query (not stopping anything!)

Chad Bersche chad at bersche.com
Mon Jan 16 23:20:48 -05 2012 

Hello.  I'm brand new to the BlueOnyx distribution, after being a LONG 
time Cobalt Qube 4 professional and subsequently BlueQuartz user.  I 
decided to migrate to the BlueOnyx distribution so I can get better 
security and patch updates which the BlueQuartz distribution didn't make 
easy.

However, here's where my puzzler comes in.  I have been reading up on 
pam_abl as best I can and I can't for the life of me figure out how it 
actually blocks anything.  I modified my ruleset to be:

# /etc/security/pam_abl.conf
# debug
host_db=/var/lib/abl/hosts.db
host_purge=2d
host_rule=*:5/1h
user_db=/var/lib/abl/users.db
user_purge=2d
user_rule=!admin/cced=10000/1h,50000/1m

I understood this to mean that if there are any 5 failures on any 
service within an hour, block the host.  I took that to mean that I'd 
not be able to connect from that host.  After configuring the above, I 
proceeded to use an external host to try to log into IMAP.  I first used 
a user which didn't exist "foouser".  I noticed in the maillog with 
"auth failed".  I did this about 10 times, with absolutely NOTHING 
happening to my pam_abl, and the connections not being stopped.  Output 
from pam_abl showed nothing being blocked and no failed users.

I then tried to use a user that exists 'cynthia'.  When I tried to log 
into this account multiple times, it at least seemed that pam_abl 
noticed it, but it never blocked anything.  The output from pam_abl 
shows (ip changed for security):

# pam_abl
Failed users:
     cynthia (21)
         Not blocking
Failed hosts:
     1.2.3.4 (21)
         Not blocking

So, what am I doing wrong?  I want ANY logins, whether the user exists 
or not, to increment the count of the offending host, and when the 
threshold is reached, that host should be blacklisted such that it can 
NOT make any connections to the server.

Please help, as I'm having a heck of a time figuring this out, and 
documentation seems sparse.  fail2ban seems much more straightforward, 
but I'm willing to give pam_abl a chance if anyone can help me figure 
it  out more...

Thanks much!  I'm loving my new BlueOnyx install!

   -- Chad

More information about the Blueonyx mailing list