[BlueOnyx:25382] Re: 5209R: PAM_ABL fixed and reactivated

Thu Apr 21 08:17:58 -05 2022

Hi,

digging up this old message....
Is there a way to drop an IP address to the never-block list through cced client (or a shell script) ?
Our monitoring system is getting eaten more and more often. 😉

Thank you and best regards
Gerrit 

Mit freundlichen Grüßen aus Bad Vilbel 

Gerrit Haas 
Systemadministrator   

blackpoint GmbH – Friedberger Straße 106b – 61118 Bad Vilbel 

Tel.: +49 6101 65788 32 
IT-Support: +49 6101 65788 - 30 
Fax: +49 6101 65788 - 99 
eMail: Gerrit.Haas at blackpoint.de Tel. Rufbereitschaft (Außerhalb der Arbeitszeiten) +49 6101 65788 - 40 

Vertretungsberechtigt Dirk Estenfeld und Mario Di Rienzo HRB 50093 Frankfurt am Main USt.-IdNr. de210106871 

Besuchen Sie uns im Internet unter www.blackpoint.de
Problemlos Domains registrieren: www.edns.de
Einfach und günstig Daten sichern: Veeam Cloud Connect

Confidentiality Notice: 
This e-mail message, including any attachments,is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. 
-----Ursprüngliche Nachricht-----
Von: blueonyx-bounces at mail.blueonyx.it <blueonyx-bounces at mail.blueonyx.it> Im Auftrag von Michael Stauber
Gesendet: Freitag, 25. September 2015 02:30
An: BlueOnyx General Mailing List <blueonyx at mail.blueonyx.it>
Betreff: [BlueOnyx:18385] 5209R: PAM_ABL fixed and reactivated

Hi all,

As you might know: PAM_ABL was disabled on 5207R, 5208R and 5209R as there were a lot of inherent problems with it.

I just managed to upgrade PAM_ABL to the latest version and activated it for 5209R. The updates for that are in the BlueOnyx 5209R YUM repository and get installed during the next YUM update.

Please note:

After the updates are installed, PAM_ABL might possibly not start working right away until the next CCEd restart:

systemctl restart cced.init

Changes in PAM_ABL and base-console:
====================================

The output format of the command line tool "pam_abl" has changed slightly and contains more info.

Run "pam_abl -h" to see the available options. As before "pam_abl -v"
lists all recorded events.

The config file /etc/security/pam_abl.conf has also changed. Among the changes it now allows to specify IP address ranges that PAM_ABL will never block. The GUI has been updated accordingly and these IP address ranges can now be configured under "Server Management" / "Security" / "Login Manager".

PAM_ABL can block hosts and users that repeatedly login using incorrect credentials. However: Blocking user accounts is a bad idea, as this could be used in a denial of service attack. Like: Remote attacker runs brute force against "admin" and then *you* wouldn't be able to login either, as PAM_ABL blocked "admin" entirely - for everyone.

So the blocking of accounts has been disabled by default and the GUI will not allow to configure that. Instead we just use the host blocking feature, where we block offending IPs that failed to authenticate correctly. Default: 30 failed logins from the same IP in one hour = banned.

By default we also wipe the PAM_ABL database squeaky clean every day, because based on prior experience it will get corrupted eventually.
Which is bad. So every restart of the service "pam_abl" or the daily cronjob will delete the entire PAM_ABL database so that it can start fresh.

I'll be backporting this to 5207R/5208R as soon as possible. In the meantime I'd appreciate if 5209R users could take a look and report back any problems that they encounter after updating to the working PAM_ABL support.

--
With best regards

Michael Stauber
_______________________________________________
Blueonyx mailing list
Blueonyx at mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6542 bytes
Desc: not available
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20220421/484df54b/attachment.p7s>