[BlueOnyx:25694] Re: PAM_ABL & Firewalls

[Michael Stauber]

Hi Ed,

> Does this mean the "failed logins per minute" limit isn't working? The 
> server doesn't need to be rebooted after changing that failed-login 
> limit, does it?

There are separate independent mechanisms at work here. BlueOnyx itself 
comes with something called PAM_ABL. You see that in the GUI under 
"Security" / "Failed Logins".

PAM_ABL is an extra mechanism in the PAM authentication mechanism that 
all network facing services use. If someone exceeds their allowed number 
of failed logins, PAM_ABL does not create any firewall rules. Instead it 
will simply reject any future login attempt from that IP during the 
ban-time with "login incorrect", even if they finally guess the right 
username and password.

PAM_ABL works autonomously and on its own and it works quite well. If 
the limit is set to 30 failed logins in an hour (for example), then 
after exhausting those 30 attempts the offender was denied proper 
authentication when he continued trying. That's why you might see a high 
number of failed attempts from individual IPs, because they kept banging 
their heads against a door that was already locked for them and the key 
thrown away.

Then there are additional PKGs from the shop like APF and the GUI for 
Firewalld, which allow you to manage firewall rules. Fail2ban will also 
independently from PAM_ABL detect brute force logins and will create 
firewall rules to block offenders. However, these blocks aren't shown 
under "Failed Logins" in the GUI, as both mechanisms are entirely separate.

-- 
With best regards

Michael Stauber