[BlueOnyx:09655] Re: More pam_abl questions....

SB9-PageKeeper Service ml at sb9.com
Tue Feb 21 22:50:42 -05 2012 


> Michael:
>
> My apologies for missing this earlier, and thanks to Matt for
> referencing it so I could dredge it up!
>
> I certainly look forward with much anticipation to the new pam_abl
> functionality, and very much appreciate all the effort given to keep
> BlueOnyx running and up to date!  Is the plan to make this something
> that could simply be updated, rather than having to do a new install,
> etc?  I have yet to go the way of fail2ban, as I've not seen the need on
> my particular server to go to that extreme just yet, and knowing that a
> better mousetrap is around the corner will keep me from mucking with
> things for a while longer.
>
> I certainly think that the combination of pam_abl and the firewall to
> deny connections after an initial detection would go a long way to help
> prevent DOS activity as well.  It's a good deterrent when something that
> was answering the phone, no longer does, as people then tend to move on
> to other easier targets, rather than just pounding away trying to brute
> force a password which pam_abl has no intention of letting you get thru,
> but the bandwidth still comes your way, ports consumed, etc.
>
> Thanks again for looking into this, and I look forward greatly to the
> new and improved components!
>
>   -- Chad
>
>
> On 1/31/2012 8:16 AM, Michael Stauber wrote:
>> Hi Chad,
>>
>>> I guess I shall explore the options to add on since I can't easily
>>> implement what I'd really like to do with the version of pam_abl that's
>>> there.
>> I looked at PAM_ABL again (it has been a while since I implemented it). 
>> We're
>> using 0.2.3 in BlueOnyx, whereas 0.4.2 seems to be the most recent one.
>>
>> I checked if 0.4.2 could be added as a simple "drop-in" upgrade by just
>> rotating the updated sources into our code tree (and by updating the 
>> config
>> after the build). But it's sadly not as easy as that. The build process 
>> is a
>> bit more complicated now and we need a mightily complicated new Makefile 
>> to
>> build CCE with either a 32-bit or 64-bit PAM_ABL implementation. After 
>> all, we
>> use the same sources for 5106R, 5107R and 5108R.
>>
>> I like the new functionality that the newer PAM_ABL provides and some of 
>> the
>> bugfixes are also quite yummy. I'll look into upgrading PAM_ABL to the 
>> latest
>> version sometime next month.
>>
> _______________________________________________

On that note.. I see lots of these..
Looks like once a connection is made nothing stops these attacks.
Below is a sniplet of ftp... mod_ban had no effect..
Feb 20 03:32:30 fs proftpd[1682]: 209.144.20.93 
(209.190.30.90[209.190.30.90]) - FTP session closed.
Feb 20 03:32:30 fs proftpd[1679]: 209.144.20.94 
(209.190.30.90[209.190.30.90]) - FTP session closed.
Feb 20 03:32:31 fs proftpd[1685]: 209.144.20.91 
(209.190.30.90[209.190.30.90]) - FTP session closed.
Feb 20 03:32:31 fs proftpd[1688]: 209.144.20.86 
(209.190.30.90[209.190.30.90]) - FTP session closed.
Feb 20 03:32:31 fs proftpd[1703]: 209.144.20.93 
(209.190.30.90[209.190.30.90]) - FTP session closed.
Feb 20 03:32:31 fs proftpd[1691]: 209.144.20.89 
(209.190.30.90[209.190.30.90]) - FTP session closed.
Feb 20 03:32:31 fs proftpd[1704]: 209.144.20.94 
(209.190.30.90[209.190.30.90]) - mod_ban/0.5.5: Login denied: host 
'209.190.30.90' banned
Feb 20 03:32:31 fs proftpd[1704]: 209.144.20.94 
(209.190.30.90[209.190.30.90]) - mod_ban.c: error initializing session: 
Permission denied
Feb 20 03:32:31 fs proftpd[1704]: 209.144.20.94 
(209.190.30.90[209.190.30.90]) - FTP session closed.
Feb 20 03:32:31 fs proftpd[1694]: 209.144.20.92 
(209.190.30.90[209.190.30.90]) - FTP session closed.
Feb 20 03:32:31 fs proftpd[1709]: 209.144.20.91 
(209.190.30.90[209.190.30.90]) - FTP session opened.
Feb 20 03:32:31 fs proftpd[1697]: 209.144.20.87 
(209.190.30.90[209.190.30.90]) - FTP session closed.
Feb 20 03:32:32 fs proftpd[1809]: notice: unable to listen to local socket: 
Operation not permitted
This goes on for about 5 minutes more without stopping anything... any 
ideas? looked at the bundle at compass
network but im not sure that will work to stop the attack.. once connected 
how do you stop the attack until they disconnect?
This is on a 5106R. Is dropping the packet the only way? Will  pam_abl 
module have any effect?

TIA
David Hahn

More information about the Blueonyx mailing list