[BlueOnyx:18385] 5209R: PAM_ABL fixed and reactivated

Michael Stauber mstauber at blueonyx.it
Thu Sep 24 19:29:47 -05 2015 

Hi all,

As you might know: PAM_ABL was disabled on 5207R, 5208R and 5209R as
there were a lot of inherent problems with it.

I just managed to upgrade PAM_ABL to the latest version and activated it
for 5209R. The updates for that are in the BlueOnyx 5209R YUM repository
and get installed during the next YUM update.

Please note:

After the updates are installed, PAM_ABL might possibly not start
working right away until the next CCEd restart:

systemctl restart cced.init

Changes in PAM_ABL and base-console:
====================================

The output format of the command line tool "pam_abl" has changed
slightly and contains more info.

Run "pam_abl -h" to see the available options. As before "pam_abl -v"
lists all recorded events.

The config file /etc/security/pam_abl.conf has also changed. Among the
changes it now allows to specify IP address ranges that PAM_ABL will
never block. The GUI has been updated accordingly and these IP address
ranges can now be configured under "Server Management" / "Security" /
"Login Manager".

PAM_ABL can block hosts and users that repeatedly login using incorrect
credentials. However: Blocking user accounts is a bad idea, as this
could be used in a denial of service attack. Like: Remote attacker runs
brute force against "admin" and then *you* wouldn't be able to login
either, as PAM_ABL blocked "admin" entirely - for everyone.

So the blocking of accounts has been disabled by default and the GUI
will not allow to configure that. Instead we just use the host blocking
feature, where we block offending IPs that failed to authenticate
correctly. Default: 30 failed logins from the same IP in one hour = banned.

By default we also wipe the PAM_ABL database squeaky clean every day,
because based on prior experience it will get corrupted eventually.
Which is bad. So every restart of the service "pam_abl" or the daily
cronjob will delete the entire PAM_ABL database so that it can start fresh.

I'll be backporting this to 5207R/5208R as soon as possible. In the
meantime I'd appreciate if 5209R users could take a look and report back
any problems that they encounter after updating to the working PAM_ABL
support.

-- 
With best regards

Michael Stauber

More information about the Blueonyx mailing list