table of contents
PAM_ABL.CONF(5) | Linux-PAM Manual | PAM_ABL.CONF(5) |
NAME
SYNOPSIS
DESCRIPTION
Syntax
word ::= /[^\s\|\/\*]+/ name ::= word | ´*´ username ::= name servicename ::= name userservice ::= username | username ´/´ servicename namelist ::= userservice | userservice ´|´ namelist userspec ::= namelist | ´!´ namelist multiplier ::= ´s´ | ´m´ | ´h´ | ´d´ number ::= /\d+/ period ::= number | number multiplier trigger ::= number ´/´ period triglist ::= trigger | trigger ´,´ triglist userclause ::= userspec ´:´ triglist rule ::= userclause | userclause /\s+/ rule
Rule syntax
*:10/1h
root|dba|admin:10/1h
root/sshd|dba/*:3/1d
root:10/1h,20/1d
*:10/1h root:5/1h,10/1d
!root:20/1d
# /etc/security/pam_abl.conf debug host_db=/var/lib/abl/hosts.db host_purge=2d host_rule=*:10/1h,30/1d user_db=/var/lib/abl/users.db user_purge=2d user_rule=!root:10/1h,30/1d
Specify the name of the databases that will be
used to log failed authentication attempts. The host database is used to log
the hostname responsible for a failed auth and the user database is used to
log the requested username. If host_db or user_db is omitted the corresponding
auto blacklisting will be disabled.
host_purge, user_purge
Specify the length of time for which failed
attempts should be kept in the databases. For rules to work correctly this
must be at least as long as the longest period specified in a corresponding
rule. You may wish to retain information about failed attempts for longer than
this so that the pam_abl command line tool can report information over a
longer period of time. The format for this item is a number with an optional
multiplier suffix, s, m, h or d which correspond
with seconds, minutes, hours and days. To specify seven days for example one
would use 7d. Note that in normal operation pam_abl will only purge the
logged data for a particular host or user if it happens to be updating it,
i.e. if that host or user makes another failed attempt. To purge all old
entries the pam_abl command line tool should be used.
host_rule, user_rule
These are the rules which determine the
circumstances under which accounts are auto-blacklisted. The host_rule is used
to block access to hosts that are responsible for excessive authentication
failures and the user_rule is used to disable accounts for which there have
been excessive authentication failures. The rule syntax is described in full
below.
host_clr_cmd, host_blk_cmd, user_clr_cmd, user_blk_cmd
These specify commands that will run during a
check when an item switches state since its last check.
host_clr_cmd and user_clr_cmd will run if the host or user is currently allowed
access. host_blk_cmd and user_blk_cmd are run if the host or user is
currentlybeing blocked by their respective rules. If no command is specified,
no action is taken.
Within the commands, you can specify substitutions with %h, %u and %s, which
will be replace with the host name, user name and service currently being
checked. If there isn’t enough information to fulfill the requested
substitutions (eg. running the pam_abl tool without specifying all the
necessary fields), the command will simply not run.
EXAMPLE
# /etc/security/pam_abl.conf debug host_db=/var/lib/abl/hosts.db host_purge=2d host_rule=*:10/1h,30/1d host_blk_cmd=iptables -I INPUT -s %h -j DROP user_db=/var/lib/abl/users.db user_purge=2d user_rule=!root:10/1h,30/1d user_clr_cmd=logger This is a pointless command! user: %u host: %h service: %s
SEE ALSO
AUTHORS
01/13/2010 | GNU |