Hi Tjerk, > First, this looks like a very good system to prevent hackers from > 'guessing' passwords. So thanks for the update!
Many thanks. Yeah, something like that is sure needed. > Have one question though, my /var/log/messages shows some bans already: > > Aug 11 15:55:15 server3 cced(smd)[28921]: client > 6:handlers/base/console/pam_abl_import.pl: CREATE fail_users blocking = 0 > failcnt = 2 username = oracle > Aug 11 15:55:15 server3 cced(smd)[28921]: client > 6:handlers/base/console/pam_abl_import.pl: CREATE succeeded > Aug 11 15:55:15 server3 cced(smd)[28921]: client > 6:handlers/base/console/pam_abl_import.pl: CREATE fail_users blocking = 0 > failcnt = 30 username = root Bans will be logged into /var/log/secure. What you see in /var/log/messages is just a handler script that runs and populates the GUI database CODB with the information about failed login activity. > So there are some username blocks, and some host blocks, right? Lets put it that way: There is activity. If someone fails one login, his IP and the username he used to authenticate will be logged. But he won't be banned until he exceeds the number of failed logins that you have specified to trigger the lockout. The default for host bans is 30 failures in 1h. So even if someone failed just a few times and was still below the threshold that triggers a ban, he's still in the database until he eventually drops out of it at the set purge time. But the GUI will show a green light next to the account(s) and host(s) if they're not blocked. That light will turn red when the block is temporary active. A block automatically expires after one hour of no further activity from the offending host. > In the GUI I only see the username blocks, the host block list is still > empty > > Something to do with this line? > > : CREATE fail_hosts failed (-5) That is correct - that's related to that problem. The database field that stores the host bans takes only IP-Addresses - not FQDNs. From my tests so far during the last 10-12 days I was under the impression that pam_abl only stores the IP of the failed hosts in its database. But apparently in your case it tried to store FQDNs as well. Protection wise it doesn't matter, as pam_abl will block the offender - regardless if it sees the source as FQDN or IP- address. It's just the GUI that may not show the entire host list of offenders. I'll publish a fix for that sometime tonight. > And a small suggestion, display the time a user of host was blocked in the > GUI? Might be usefull if you want to search your logs or something. Yeah, that's planned and I already added the database fields required for it. As the rest of the code for it takes quite a bit of extra effort I left it out of the first release and put it on the backburner. But it'll come. For now: If you want to see the date and times of the events, run this from the command line: /etc/init.d/pam_abl status ... or ... /usr/bin/pam_abl -v > While I'm at it, the Security -> Logfiles page is giving me Javascript > errors in ajax.js (Don't really mind cause I don't use it but just to let > you know it doesn't work properly) Hmm ... interesting. Didn't know that. Which browser are you using? -- With best regards Michael Stauber _______________________________________________ Blueonyx mailing list [email protected] http://www.blueonyx.it/mailman/listinfo/blueonyx
