You can protect your linux hosted ssh server from the password brute force attack with pam-abl. This plugin to the ssh pam authentification module measures the amount of login tries by an specific IP address or exact login name. If tries count exceeds the allowed limit, pam-abl will block IP address or login name.
Manual installation of pam-abl is not much complicated, however requires some time to be spended with a few manipulations in console. I have builded a deb package of libpam-abl for ubuntu edgy and ubuntu dapper (mepis 6.0). It fully automates the process of installation and proper configuration process. All you have to do, to protect your ssh from brute force attack, is just to install the package. It is necessary to say, that libpam-abl is shipped with fedora linux since fedora core 4 release by default, but only debian based distributions lack that useful security package.
Important note for ubuntu (mepis) linux users: the openssh-server package bounded with distros contain a bug â„–405041 which makes the libpam-abl to work unproperly. My repository contains a patched version of openssh-server package, which you have to update to.
For a curious linuxers there are source packages available for both, openssh-server and libpam-abl.
how to install
At first of all add my repository to your /etc/apt/source.list configuration file.
For ubuntu 6.06 dapper (SimplyMEPIS 6.0):
deb http://ubuntu.tolero.org/ dapper main
For ubuntu 6.10 edgy:
deb http://ubuntu.tolero.org/ edgy main
And execute the next four commands:
sudo aptitude update
sudo aptitude upgrade
sudo aptitude install libpam-abl
sudo /etc/init.d/ssh restart
First command is to fetch the repository listing. Second is to upgrade the openssh-server package to patched version (openssh-client will be also updated). Third is to set up a protection plugin. And the fourth is to restart a server with a new security plugin.
That is all! Now your’s machine ssh shold be protected with pam-abl.
How to check that all is working
To check that pam-abl is installed properly just try to login onto your ssh server. Simply execute the
command, and input a wrong passwords for all tryes. That failed attempt will be listed in a pam-abl statistic. You can see it by the command
And you should see there your failed attempt. If you see only
<none> indicatiors, this signs that you are running not patched version of openssh-server package, and you have to install it from my repository, and restart ssh daemon.
The pam_abl utility is a control instrument over libpam-abl plugin statistic. You can unblock any host or account only by it. Refer to it’s
--help for details.
What does my libpam-abl.deb package do
Many of readers do not have a need to read this chapter. It is mostly for a curious guys.
Excepth the simple extraction of a pam-abl files in to their followed places, my package performs a configuration job.
As the first, it creates a default configuration file for a pam-abl plugin. You can find it as /etc/security/pam_abl.conf. The default configuration is aimed to block any IP address or login name (except the root account) for three failed attempts in hour, or thirty attempts in a day. If you wish, you can easily change the limits right after installation.
The second point is altering the /etc/pam.d/ssh file, to include a pam-abl.so library to participate the authentification process. Adding required line into the right place of configuration file on installation, and removing it on deinstallation of the package is fully automated.
Collected information about failed login attempts is stored under the /var/lib/abl/ path. This directory is created during installation, and removed only when package is deinstalled with the
--purge flag. The same is with pam_abl.conf file. That is the common behavior for all in debian packages.