[BlueOnyx:09407] More pam_abl questions....

[Chad Bersche]

So, I've come to the conclusion that pam_abl on its own won't do what I 
want for blocking.  Seems that I need to enlist the help of iptables to 
really drop connection attempts that I don't want hitting my box.  In my 
mind, it's not simply good enough to "deny" access via pam_abl, as the 
attacker is still wasting bandwidth and potentially tying up ports and 
could deny services.  So, I want the system to become deaf and dumb to 
that IP address for a period of time.

 From what I can tell with the pam_abl (8) man page at 
http://pam-abl.deksai.com/docs/pam_abl.8.html, it appears that there's 
support for a 'host_blk_cmd' and a 'host_clr_cmd" which would seem ideal 
candidates for an iptables command to set up a drop rule for the ip 
address and then subsequently clear the same rule later on when things 
are cleared.  I don't want to simply increase a block list, as there may 
be legitimate users that would be trying to come from a certain IP that 
could survive blockage for a period of hours, but not forever.  I want 
to have the system become unresponsive so that the attacker simply gives 
up and moves on to something that WILL respond better (like other 
systems running just pam_abl without any iptables integration :P )

However, I'm not sure that the version of pam_abl in BlueOnyx supports 
the host_blk_cmd directive in the configuration file, since when I tried 
it, pam_abl wouldn't start, complaining about that particular line in 
the config file.

So, does the version support this, and if not, are there any 
plans/possibilities that a newer version could be integrated so we can 
make use of the new functionality which seems to darn cool?

Thanks much!

   -- Chad