On 05/05/2014 10:25 PM, Petter Reinholdtsen wrote:
[Petter Reinholdtsen]
I am not sure that the configuration should be enabled by default
because in this case it will affect every pam service which use
/etc/pam.d/common-auth, like su, sudo, login and so on.
[...]
Btw, why is libpam-abl operating on local services too? Why not only
trigger for remote login?
The current setup allow for remote denial of service attachs, and is
not usable for me. I tried to log in as root via ssh, and used the
wrong password several times in a row. Then I logged into the machine
using a different user and tried to su to root. This was blocked with
this message in /var/log/auth.log:
May 5 20:21:52 freedombox pam-abl[11025]: Blocking access from
(null) to service su, user root
May 5 20:21:56 freedombox su[11025]: pam_authenticate: Authentication
failure
May 5 20:21:56 freedombox su[11025]: FAILED su for root by fbx
May 5 20:21:56 freedombox su[11025]: - /dev/pts/1 fbx:root
Any remote user can block a local user from accessing the machine,
that is a DOS attack waiting to happen. Can it block cron jobs too?
I did not test. I would suggest for pam-abl to not block access from
the (null) host by default.
Well, the problem is the default configuration.
I see 2 ways to solve the problem:
a) use manual configuration for services using PAM, like it was done in
the past.
b) tell pam_abl that only sshd service should be used.
One can do that by specifying the service in the user_role, i.e.:
user_rule=*/sshd:3/1h
In this case only users associated with sshd service will be really
blocked, for some reason pam_abl will also list users as blocked for
example from sudo or any other service using common-auth, though they
will not be blocked.
use pam_abl -v to see users and services.
I am preparing the update which will install the default config with
sshd and whitelisted localhost.
Currently I can not upload the package, but you can checkout the git
repository and build the package itself:
http://anonscm.debian.org/gitweb/?p=collab-maint/libpam-abl.git
Regards,
Alex