Anti-bruteforce PAM module
stass/pam_af
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
README
pam_af is a simple anti-bruteforce PAM module for authentification
services. It can be used to prevent brute-force attacks on services
like SSH or Telnet.
pam_af module maintains internal list of hosts and associated counters.
When the host performs authentification attempt, it's counter incremented.
After successful login the counter will flush.
When host's counter value exceeds previously configured limit, the host
will be blocked. Additionly, specific actions can be performed.
Per-host rules can be added/modified through pam_af_tool utility. For
performance reasons, we don't use plain text config and save pre-lookuped
addresses in NDBM database, /etc/pam_af.conf by default.
The module stores statistics in NDBM database too. It's usually
/var/db/pam_af.db. It's hashed using hostname, since PAM returns
hostname, not host's address. To search host's rule, the module
performs lookup, however, it can decline login attempts from blocked
hosts without lookups.
The module should be stacked before your usual auth module. So
your system will not send password request to "bad" host. You
should use "requisite" control flag with pam_af module. This line
could look like this:
--------------------------------------------------------------------
auth requisite /usr/local/lib/security/pam_af.so
--------------------------------------------------------------------
As was already mentioned above, the rules can be managed with
pam_af_tool utility. You can add/modify/delete rules and print
statistics. Additionly, this utilty can do lock/unlock specified
hosts, in case if pam_af module is configured to automatically
lock "bad" hosts in firewall, so the module can't deal with this
host anymore.
You can learn more about utility from pam_af_tool(8) manpage. It's
pretty simple in use. Take a look on the following comands:
# pam_af_tool ruleadd -h localhost -a unlimited -t 0
# pam_af_tool ruleadd -h 124.45.34.2/21 -a 8 -t 16H23M12S
# pam_af_tool ruleadd -h 207.46.0.0/16 -a 5 -t 15H -l '/sbin/ipfw add
100 deny all from $PAM_RHOST to any'
The first one allow unlimited number of attempts from localhost. Second will
block all hosts from 124.45.34.2/21 network after 8 failed attemps for 16
hours 23 minutes and 12 seconds. The last one will block 207.46.0.0/16 through
firewall (FreeBSD).
You can add defaul rule, issuing '*' instead of hostname, e.g. command
# pam_af_tool ruleadd -h '*' -a 15 -t 4y
adds rule, that will block all hosts, which hasn't explicit rules,
for 4 years after 15 failed attempts.
NOTE: all local logins are mapped to "localhost".
pam_af module has some runtime options, you can learn in in
pam_af(8) manpage. Not all options available on all platforms.
Currently, this module works out-of-the-box on FreeBSD 4.x/5.x/6.x/7.x,
Linux 2.6, SunOS 5.10/5.11. I have not tested it on other platforms,
probably it will work, since source is fully POSIX-compliant.
Report on success (or failure), please.
Feel free to send bugs, reports, flames, etc to <stas@FreeBSD.org>.
--
Stanislav Sedov <stas@FreeBSD.org>
$Id: README,v 1.3 2006/11/07 00:09:02 stas Exp $