[BlueOnyx:09654] Re: More pam_abl questions....

Chad Bersche chad at bersche.com
Tue Feb 21 19:15:36 -05 2012 

Michael:

My apologies for missing this earlier, and thanks to Matt for 
referencing it so I could dredge it up!

I certainly look forward with much anticipation to the new pam_abl 
functionality, and very much appreciate all the effort given to keep 
BlueOnyx running and up to date!  Is the plan to make this something 
that could simply be updated, rather than having to do a new install, 
etc?  I have yet to go the way of fail2ban, as I've not seen the need on 
my particular server to go to that extreme just yet, and knowing that a 
better mousetrap is around the corner will keep me from mucking with 
things for a while longer.

I certainly think that the combination of pam_abl and the firewall to 
deny connections after an initial detection would go a long way to help 
prevent DOS activity as well.  It's a good deterrent when something that 
was answering the phone, no longer does, as people then tend to move on 
to other easier targets, rather than just pounding away trying to brute 
force a password which pam_abl has no intention of letting you get thru, 
but the bandwidth still comes your way, ports consumed, etc.

Thanks again for looking into this, and I look forward greatly to the 
new and improved components!

   -- Chad


On 1/31/2012 8:16 AM, Michael Stauber wrote:
> Hi Chad,
>
>> I guess I shall explore the options to add on since I can't easily
>> implement what I'd really like to do with the version of pam_abl that's
>> there.
> I looked at PAM_ABL again (it has been a while since I implemented it). We're
> using 0.2.3 in BlueOnyx, whereas 0.4.2 seems to be the most recent one.
>
> I checked if 0.4.2 could be added as a simple "drop-in" upgrade by just
> rotating the updated sources into our code tree (and by updating the config
> after the build). But it's sadly not as easy as that. The build process is a
> bit more complicated now and we need a mightily complicated new Makefile to
> build CCE with either a 32-bit or 64-bit PAM_ABL implementation. After all, we
> use the same sources for 5106R, 5107R and 5108R.
>
> I like the new functionality that the newer PAM_ABL provides and some of the
> bugfixes are also quite yummy. I'll look into upgrading PAM_ABL to the latest
> version sometime next month.
>

More information about the Blueonyx mailing list