[BlueOnyx:25383] Re: 5209R: PAM_ABL fixed and reactivated

Thu Apr 21 08:29:24 -05 2022

Gerrit,

  The primary config file is saved in /etc/security/pam_abl.conf
and the parameter host_whitelist=127.0.0.1/32; is the one used
to whitelist IP addresses.

 You shold be able to script something to add your monitor IP
to this parameter and then run pam_abl -u to tell it to update
itself.

-- 
Larry Smith
lesmith at ecsis.net

On Thu April 21 2022 08:17, Gerrit Haas wrote:
> Hi,
>
> digging up this old message....
> Is there a way to drop an IP address to the never-block list through cced
> client (or a shell script) ? Our monitoring system is getting eaten more
> and more often. 😉
>
> Thank you and best regards
> Gerrit
>
>
>
>
>
>
>
>
> Mit freundlichen Grüßen aus Bad Vilbel
>
> Gerrit Haas
> Systemadministrator
>
>
> blackpoint GmbH – Friedberger Straße 106b – 61118 Bad Vilbel
>
> Tel.: +49 6101 65788 32
> IT-Support: +49 6101 65788 - 30
> Fax: +49 6101 65788 - 99
> eMail: Gerrit.Haas at blackpoint.de Tel. Rufbereitschaft (Außerhalb der
> Arbeitszeiten) +49 6101 65788 - 40
>
> Vertretungsberechtigt Dirk Estenfeld und Mario Di Rienzo HRB 50093
> Frankfurt am Main USt.-IdNr. de210106871
>
> Besuchen Sie uns im Internet unter www.blackpoint.de
> Problemlos Domains registrieren: www.edns.de
> Einfach und günstig Daten sichern: Veeam Cloud Connect
>
>
> Confidentiality Notice:
> This e-mail message, including any attachments,is for the sole use of the
> intended recipient(s) and may contain confidential and privileged
> information. Any unauthorized review, use, disclosure or distribution is
> prohibited. If you are not the intended recipient, please contact the
> sender by reply e-mail and destroy all copies of the original message.
> -----Ursprüngliche Nachricht-----
> Von: blueonyx-bounces at mail.blueonyx.it <blueonyx-bounces at mail.blueonyx.it>
> Im Auftrag von Michael Stauber Gesendet: Freitag, 25. September 2015 02:30
> An: BlueOnyx General Mailing List <blueonyx at mail.blueonyx.it>
> Betreff: [BlueOnyx:18385] 5209R: PAM_ABL fixed and reactivated
>
> Hi all,
>
> As you might know: PAM_ABL was disabled on 5207R, 5208R and 5209R as there
> were a lot of inherent problems with it.
>
> I just managed to upgrade PAM_ABL to the latest version and activated it
> for 5209R. The updates for that are in the BlueOnyx 5209R YUM repository
> and get installed during the next YUM update.
>
> Please note:
>
> After the updates are installed, PAM_ABL might possibly not start working
> right away until the next CCEd restart:
>
> systemctl restart cced.init
>
> Changes in PAM_ABL and base-console:
> ====================================
>
> The output format of the command line tool "pam_abl" has changed slightly
> and contains more info.
>
> Run "pam_abl -h" to see the available options. As before "pam_abl -v"
> lists all recorded events.
>
> The config file /etc/security/pam_abl.conf has also changed. Among the
> changes it now allows to specify IP address ranges that PAM_ABL will never
> block. The GUI has been updated accordingly and these IP address ranges can
> now be configured under "Server Management" / "Security" / "Login Manager".
>
> PAM_ABL can block hosts and users that repeatedly login using incorrect
> credentials. However: Blocking user accounts is a bad idea, as this could
> be used in a denial of service attack. Like: Remote attacker runs brute
> force against "admin" and then *you* wouldn't be able to login either, as
> PAM_ABL blocked "admin" entirely - for everyone.
>
> So the blocking of accounts has been disabled by default and the GUI will
> not allow to configure that. Instead we just use the host blocking feature,
> where we block offending IPs that failed to authenticate correctly.
> Default: 30 failed logins from the same IP in one hour = banned.
>
> By default we also wipe the PAM_ABL database squeaky clean every day,
> because based on prior experience it will get corrupted eventually. Which
> is bad. So every restart of the service "pam_abl" or the daily cronjob will
> delete the entire PAM_ABL database so that it can start fresh.
>
> I'll be backporting this to 5207R/5208R as soon as possible. In the
> meantime I'd appreciate if 5209R users could take a look and report back
> any problems that they encounter after updating to the working PAM_ABL
> support.
>
> --
> With best regards
>
> Michael Stauber
> _______________________________________________
> Blueonyx mailing list
> Blueonyx at mail.blueonyx.it
> http://mail.blueonyx.it/mailman/listinfo/blueonyx