It is Automatic Black-List with PAM module, which can help you to protect SSH server.
I have Centos 5.5 linux server on Butstnet.
From log file, I saw a lot of fail login on my SSH server every day.
To save the resource and block them, I google and got the idea to install PAM-abl to stop them.
I just noted here for my experience.
1) install pam devel package

yum install pam-devel

2) Download PAM-abl v 0.4.1 from the sourceforge

wget http://sourceforge.net/projects/pam-abl/files/pam-abl/0.4.1/pam-abl-0.4.1.tar.bz2/download

3) Untar it

tar xjvf pam-abl-0.4.1.tar.bz2

4) Compile

cd pam-abl-0.4.1
./configure
make
make check
make install

5) Enable it
Make sure you have the following line in your /etc/ssh/sshd_config configuration file.

UsePAM


Next, add a line like the following in the file /etc/pam.d/sshd before the existing auth lines:

auth   required   /usr/local/lib/security/pam_abl.so config=/etc/security/pam_abl.conf

Edit /etc/security/pam_abl.conf file:

# Black-list any remote host with 10 consecutive authentication failures
# in one hour, or 30 in one day.  Keep them in the black-list for two days
# and then purge them.
host_db=/var/lib/abl/hosts.db
host_purge=2d
host_rule=*:10/1h,30/1d
# Black-list any local user other than root for which there are 10
# consecutive authentication failures in one hour, or 30 in one day.
# Keep them in the black-list for two days and then purge them.
# Note that this means that non-root users may be subjected to denial of
# service attacks caused by remote password guessing.
user_db=/var/lib/abl/users.db
user_purge=2d
user_rule=!root:10/1h,30/1d

Then, make sure you have the folder /var/lib/abl/, otherwise the file hosts.db can not be created.
Partial content of this post is based on this link.

David Yin

David is a blogger, geek, and web developer — founder of FreeInOutBoard.com. If you like his post, you can say thank you here

Leave a Reply

Your email address will not be published. Required fields are marked *