[BlueOnyx:25398] Re: 5209R: PAM_ABL fixed and reactivated

Gerrit Haas Gerrit.Haas at blackpoint.de
Wed Apr 27 04:59:04 -05 2022 

Hi Larry,
thank you for your answer.

Yeah this is an approach that would work in the short-term.
If you edit this file and alter settings from GUI, your changes will be overwritten, since the according information is stored in the cced database. 
So I need a way to inject this in the cced. 

Log shows 
-add-
client 223:[49:6428]: SET  33 "update_config" "=" "1651053290" "host_rule" "=" "*:30/1h" "host_whitelist" "=" "&127.0.0.1/32&1.1.1.1/32&" "force_update" "=" "1651053290"

-remove-
client 223:[49:6475]: SET  33 "update_config" "=" "1651053302" "host_rule" "=" "*:30/1h" "host_whitelist" "=" "&127.0.0.1/32&" "force_update" "=" "1651053302"


Thanks for any hints. 

Best regards
Gerrit

Mit freundlichen Grüßen aus Bad Vilbel 

Gerrit Haas 
Systemadministrator   

 
blackpoint GmbH – Friedberger Straße 106b – 61118 Bad Vilbel 

Tel.: +49 6101 65788 32 
IT-Support: +49 6101 65788 - 30 
Fax: +49 6101 65788 - 99 
eMail: Gerrit.Haas at blackpoint.de Tel. Rufbereitschaft (Außerhalb der Arbeitszeiten) +49 6101 65788 - 40 

Vertretungsberechtigt Dirk Estenfeld und Mario Di Rienzo HRB 50093 Frankfurt am Main USt.-IdNr. de210106871 

Besuchen Sie uns im Internet unter www.blackpoint.de
Problemlos Domains registrieren: www.edns.de
Einfach und günstig Daten sichern: Veeam Cloud Connect


Confidentiality Notice: 
This e-mail message, including any attachments,is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. 
-----Ursprüngliche Nachricht-----
Von: Blueonyx <blueonyx-bounces at mail.blueonyx.it> Im Auftrag von Larry Smith
Gesendet: Donnerstag, 21. April 2022 15:29
An: BlueOnyx General Mailing List <blueonyx at mail.blueonyx.it>
Betreff: [BlueOnyx:25383] Re: 5209R: PAM_ABL fixed and reactivated

Gerrit,

  The primary config file is saved in /etc/security/pam_abl.conf and the parameter host_whitelist=127.0.0.1/32; is the one used to whitelist IP addresses.

 You shold be able to script something to add your monitor IP to this parameter and then run pam_abl -u to tell it to update itself.

--
Larry Smith
lesmith at ecsis.net

On Thu April 21 2022 08:17, Gerrit Haas wrote:
> Hi,
>
> digging up this old message....
> Is there a way to drop an IP address to the never-block list through 
> cced client (or a shell script) ? Our monitoring system is getting 
> eaten more and more often. 😉
>
> Thank you and best regards
> Gerrit
>
>
>
>
>
>
>
>
> Mit freundlichen Grüßen aus Bad Vilbel
>
> Gerrit Haas
> Systemadministrator
>
>
> blackpoint GmbH – Friedberger Straße 106b – 61118 Bad Vilbel
>
> Tel.: +49 6101 65788 32
> IT-Support: +49 6101 65788 - 30
> Fax: +49 6101 65788 - 99
> eMail: Gerrit.Haas at blackpoint.de Tel. Rufbereitschaft (Außerhalb der
> Arbeitszeiten) +49 6101 65788 - 40
>
> Vertretungsberechtigt Dirk Estenfeld und Mario Di Rienzo HRB 50093 
> Frankfurt am Main USt.-IdNr. de210106871
>
> Besuchen Sie uns im Internet unter www.blackpoint.de Problemlos 
> Domains registrieren: www.edns.de Einfach und günstig Daten sichern: 
> Veeam Cloud Connect
>
>
> Confidentiality Notice:
> This e-mail message, including any attachments,is for the sole use of 
> the intended recipient(s) and may contain confidential and privileged 
> information. Any unauthorized review, use, disclosure or distribution 
> is prohibited. If you are not the intended recipient, please contact 
> the sender by reply e-mail and destroy all copies of the original message.
> -----Ursprüngliche Nachricht-----
> Von: blueonyx-bounces at mail.blueonyx.it 
> <blueonyx-bounces at mail.blueonyx.it>
> Im Auftrag von Michael Stauber Gesendet: Freitag, 25. September 2015 
> 02:30
> An: BlueOnyx General Mailing List <blueonyx at mail.blueonyx.it>
> Betreff: [BlueOnyx:18385] 5209R: PAM_ABL fixed and reactivated
>
> Hi all,
>
> As you might know: PAM_ABL was disabled on 5207R, 5208R and 5209R as 
> there were a lot of inherent problems with it.
>
> I just managed to upgrade PAM_ABL to the latest version and activated 
> it for 5209R. The updates for that are in the BlueOnyx 5209R YUM 
> repository and get installed during the next YUM update.
>
> Please note:
>
> After the updates are installed, PAM_ABL might possibly not start 
> working right away until the next CCEd restart:
>
> systemctl restart cced.init
>
> Changes in PAM_ABL and base-console:
> ====================================
>
> The output format of the command line tool "pam_abl" has changed 
> slightly and contains more info.
>
> Run "pam_abl -h" to see the available options. As before "pam_abl -v"
> lists all recorded events.
>
> The config file /etc/security/pam_abl.conf has also changed. Among the 
> changes it now allows to specify IP address ranges that PAM_ABL will 
> never block. The GUI has been updated accordingly and these IP address 
> ranges can now be configured under "Server Management" / "Security" / "Login Manager".
>
> PAM_ABL can block hosts and users that repeatedly login using 
> incorrect credentials. However: Blocking user accounts is a bad idea, 
> as this could be used in a denial of service attack. Like: Remote 
> attacker runs brute force against "admin" and then *you* wouldn't be 
> able to login either, as PAM_ABL blocked "admin" entirely - for everyone.
>
> So the blocking of accounts has been disabled by default and the GUI 
> will not allow to configure that. Instead we just use the host 
> blocking feature, where we block offending IPs that failed to authenticate correctly.
> Default: 30 failed logins from the same IP in one hour = banned.
>
> By default we also wipe the PAM_ABL database squeaky clean every day, 
> because based on prior experience it will get corrupted eventually. 
> Which is bad. So every restart of the service "pam_abl" or the daily 
> cronjob will delete the entire PAM_ABL database so that it can start fresh.
>
> I'll be backporting this to 5207R/5208R as soon as possible. In the 
> meantime I'd appreciate if 5209R users could take a look and report 
> back any problems that they encounter after updating to the working 
> PAM_ABL support.
>
> --
> With best regards
>
> Michael Stauber
> _______________________________________________
> Blueonyx mailing list
> Blueonyx at mail.blueonyx.it
> http://mail.blueonyx.it/mailman/listinfo/blueonyx

_______________________________________________
Blueonyx mailing list
Blueonyx at mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6542 bytes
Desc: not available
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20220427/22b5566c/attachment.p7s>

More information about the Blueonyx mailing list