It is Automatic Black-List with PAM module, which can help you to protect SSH server.
I have Centos 5.5 linux server on Butstnet.
From log file, I saw a lot of fail login on my SSH server every day.
To save the resource and block them, I google and got the idea to install PAM-abl to stop them.
I just noted here for my experience.
1) install pam devel package
yum install pam-devel |
2) Download PAM-abl v 0.4.1 from the sourceforge
wget http://sourceforge.net/projects/pam-abl/files/pam-abl/0.4.1/pam-abl-0.4.1.tar.bz2/download |
3) Untar it
tar xjvf pam-abl-0.4.1.tar.bz2 |
4) Compile
cd pam-abl-0.4.1./configuremakemake checkmake install |
5) Enable it
Make sure you have the following line in your /etc/ssh/sshd_config configuration file.
UsePAM |
Next, add a line like the following in the file /etc/pam.d/sshd before the existing auth lines:
auth required /usr/local/lib/security/pam_abl.so config=/etc/security/pam_abl.conf |
Edit /etc/security/pam_abl.conf file:
# Black-list any remote host with 10 consecutive authentication failures# in one hour, or 30 in one day. Keep them in the black-list for two days# and then purge them.host_db=/var/lib/abl/hosts.dbhost_purge=2dhost_rule=*:10/1h,30/1d# Black-list any local user other than root for which there are 10# consecutive authentication failures in one hour, or 30 in one day.# Keep them in the black-list for two days and then purge them.# Note that this means that non-root users may be subjected to denial of# service attacks caused by remote password guessing.user_db=/var/lib/abl/users.dbuser_purge=2duser_rule=!root:10/1h,30/1d |
Then, make sure you have the folder /var/lib/abl/, otherwise the file hosts.db can not be created.
Partial content of this post is based on this link.
