ssh password brute force protection

You can protect your linux hosted ssh server from the password brute force attack with pam-abl. This plugin to the ssh pam authentification module measures the amount of login tries by an specific IP address or exact login name. If tries count exceeds the allowed limit, pam-abl will block IP address or login name.

Manual installation of pam-abl is not much complicated, however requires some time to be spended with a few manipulations in console. I have builded a deb package of libpam-abl for ubuntu edgy and ubuntu dapper (mepis 6.0). It fully automates the process of installation and proper configuration process. All you have to do, to protect your ssh from brute force attack, is just to install the package. It is necessary to say, that libpam-abl is shipped with fedora linux since fedora core 4 release by default, but only debian based distributions lack that useful security package.

Important note for ubuntu (mepis) linux users: the openssh-server package bounded with distros contain a bug â„–405041 which makes the libpam-abl to work unproperly. My repository contains a patched version of openssh-server package, which you have to update to.

For a curious linuxers there are source packages available for both, openssh-server and libpam-abl.

how to install

At first of all add my repository to your /etc/apt/source.list configuration file.

For ubuntu 6.06 dapper (SimplyMEPIS 6.0):

deb http://ubuntu.tolero.org/ dapper main

For ubuntu 6.10 edgy:

deb http://ubuntu.tolero.org/ edgy main

And execute the next four commands:

sudo aptitude update
sudo aptitude upgrade
sudo aptitude install libpam-abl
sudo /etc/init.d/ssh restart

First command is to fetch the repository listing. Second is to upgrade the openssh-server package to patched version (openssh-client will be also updated). Third is to set up a protection plugin. And the fourth is to restart a server with a new security plugin.

That is all! Now your’s machine ssh shold be protected with pam-abl.

How to check that all is working

To check that pam-abl is installed properly just try to login onto your ssh server. Simply execute the

ssh localhost

command, and input a wrong passwords for all tryes. That failed attempt will be listed in a pam-abl statistic. You can see it by the command

sudo pam_abl

And you should see there your failed attempt. If you see only <none> indicatiors, this signs that you are running not patched version of openssh-server package, and you have to install it from my repository, and restart ssh daemon.

The pam_abl utility is a control instrument over libpam-abl plugin statistic. You can unblock any host or account only by it. Refer to it’s --help for details.

What does my libpam-abl.deb package do

Many of readers do not have a need to read this chapter. It is mostly for a curious guys.

Excepth the simple extraction of a pam-abl files in to their followed places, my package performs a configuration job.

As the first, it creates a default configuration file for a pam-abl plugin. You can find it as /etc/security/pam_abl.conf. The default configuration is aimed to block any IP address or login name (except the root account) for three failed attempts in hour, or thirty attempts in a day. If you wish, you can easily change the limits right after installation.

The second point is altering the /etc/pam.d/ssh file, to include a pam-abl.so library to participate the authentification process. Adding required line into the right place of configuration file on installation, and removing it on deinstallation of the package is fully automated.

Collected information about failed login attempts is stored under the /var/lib/abl/ path. This directory is created during installation, and removed only when package is deinstalled with the --purge flag. The same is with pam_abl.conf file. That is the common behavior for all in debian packages.

21 Comments

  1. Interesting approach. Thanks for the pointer!

  2. Nikron says:

    Thanks for the enhanced secuirty.

  3. Piotr says:

    Very useful tutorial. Two things could improve it:
    1) explain /etc/security/pam_abl.conf
    2) provide a key to authenticate your repository

    HTH,

    Piotr

  4. Worked great on Ubuntu 6.10!

    Thanks ;)

  5. William says:

    Could you please add a repository for Feisty, or (evenbetter) get the package added to Feisty’s universe repository? I’d really really like to install this on Ubuntu Server 7.04.

  6. Tolero says:

    @William

    OK, I’ll check it for a feisty in a few days. Come back at the end of the week.

  7. NabdaN says:

    Hi all, thanks for this great job !

    If you can help us to implement it in Feisty it will be really nice from you.

    Another point :

    provide a key to authenticate your repository :)

    Bye !

  8. Criminal says:

    Nice job! Still waiting for the feisty version

  9. MasterX says:

    Any news?

  10. Tolero says:

    I remember! Just busy all these days :(

  11. ketty6e says:

    hi…is ready libpam-abl for ubuntu 7.04??

  12. I just installed this on Kubuntu Feisty (7.04) using EDGY repository. It works. But it would be really nice if you can add a FIESTY repository also.

    thanks for the great work

    /sujee

  13. pecata says:

    This don’t work on Ubuntu Feisty 7.04 x86_64.

  14. akukalle says:

    I’ am using freenx remote desktop tool. If libpam-abl is installed freenx authentication don’t work. Anybody has anything how to fix this?

  15. Louis Wilson says:

    Just in case anyone is wondering, on Ubuntu 7.04 (standard version, installed from liveCD), the edgy repository appears to be working fine. It would still be nice to have a feisty one, though, when you get the time.

    Thanks for all the work!

  16. Kalachakra says:

    please work on the feisty how to!

  17. Shooter says:

    Nice stuff thanks, Tolero (hmmm, your nick is veeery closely to my another one: Zolero).
    Well, dear friend it’ll be great if you can provide us with a public PGP signing key…

    However your work is appreciated, thx again.
    Shooter (or Zolero, if you like it this way).

  18. helpdeskdan says:

    Do not use this, it opens another vulnerability:
    https://bugzilla.mindrot.org/show_bug.cgi?id=1322

  19. Nukeador says:

    Hello there,

    I have a question. Which is the license of this article? It would be great for a translation, but, I have to know if the license allows this.

    Regards.

  20. Shoot3r says:

    Thank you for this one!
    Works like a charm on my Dapper Server. The authentication key would be great indeed, Tolero.
    Many thanks, buddy.

  21. [...] 2. tech.tolero.org: ssh password brute force protection > [...]

Leave a Reply

You must be logged in to post a comment.