Bug#742024: libpam-abl: Configure pam module automatically using pam-auth-update?

Tue, 06 May 2014 09:09:40 -0700 

On 05/05/2014 10:25 PM, Petter Reinholdtsen wrote:

[Petter Reinholdtsen]

I am not sure that the configuration should be enabled by default
because in this case it will affect every pam service which use
/etc/pam.d/common-auth, like su, sudo, login and so on.

[...]

Btw, why is libpam-abl operating on local services too?  Why not only
trigger for remote login?

The current setup allow for remote denial of service attachs, and is
not usable for me.  I tried to log in as root via ssh, and used the
wrong password several times in a row.  Then I logged into the machine
using a different user and tried to su to root.  This was blocked with
this message in /var/log/auth.log:

   May  5 20:21:52 freedombox pam-abl[11025]: Blocking access from
     (null) to service su, user root
   May  5 20:21:56 freedombox su[11025]: pam_authenticate: Authentication 
failure
   May  5 20:21:56 freedombox su[11025]: FAILED su for root by fbx
   May  5 20:21:56 freedombox su[11025]: - /dev/pts/1 fbx:root

Any remote user can block a local user from accessing the machine,
that is a DOS attack waiting to happen.  Can it block cron jobs too?
I did not test.  I would suggest for pam-abl to not block access from
the (null) host by default.



Well, the problem is the default configuration.

I see 2 ways to solve the problem:
a) use manual configuration for services using PAM, like it was done in the past. 
b) tell pam_abl that only sshd service should be used.
One can do that by specifying the service in the user_role, i.e.:

user_rule=*/sshd:3/1h
In this case only users associated with sshd service will be really blocked, for some reason pam_abl will also list users as blocked for example from sudo or any other service using common-auth, though they will not be blocked. 

use pam_abl -v to see users and services.
I am preparing the update which will install the default config with sshd and whitelisted localhost.
Currently I can not upload the package, but you can checkout the git repository and build the package itself: 
http://anonscm.debian.org/gitweb/?p=collab-maint/libpam-abl.git

Regards,
Alex

Reply via email to