From owner-freebsd-ports-bugs@FreeBSD.ORG Thu Jul 20 22:30:16 2006 Return-Path: X-Original-To: freebsd-ports-bugs@hub.freebsd.org Delivered-To: freebsd-ports-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 565C116A4DD for ; Thu, 20 Jul 2006 22:30:16 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id BD80D43D45 for ; Thu, 20 Jul 2006 22:30:15 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k6KMUFCp047982 for ; Thu, 20 Jul 2006 22:30:15 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k6KMUFxJ047981; Thu, 20 Jul 2006 22:30:15 GMT (envelope-from gnats) Resent-Date: Thu, 20 Jul 2006 22:30:15 GMT Resent-Message-Id: <200607202230.k6KMUFxJ047981@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Petr Rehor Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4277116A4DA for ; Thu, 20 Jul 2006 22:26:45 +0000 (UTC) (envelope-from reho@rx.cz) Received: from charon.rx.cz (199.106.broadband4.iol.cz [85.71.106.199]) by mx1.FreeBSD.org (Postfix) with ESMTP id B0C0C43D4C for ; Thu, 20 Jul 2006 22:26:42 +0000 (GMT) (envelope-from reho@rx.cz) Received: from charon.rx.cz (localhost [127.0.0.1]) by charon.rx.cz (8.13.4/8.13.4) with ESMTP id k6KMQeM8078341 for ; Fri, 21 Jul 2006 00:26:41 +0200 (CEST) (envelope-from reho@199.106.broadband4.iol.cz) Received: (from root@localhost) by charon.rx.cz (8.13.4/8.13.4/Submit) id k6KMQe14078340; Fri, 21 Jul 2006 00:26:40 +0200 (CEST) (envelope-from reho) Message-Id: <200607202226.k6KMQe14078340@charon.rx.cz> Date: Fri, 21 Jul 2006 00:26:40 +0200 (CEST) From: Petr Rehor To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Cc: Subject: ports/100635: [NEW PORT] security/pam_abl: Blacklisting responsible for repeated failed authentication attempts X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Jul 2006 22:30:16 -0000 >Number: 100635 >Category: ports >Synopsis: [NEW PORT] security/pam_abl: Blacklisting responsible for repeated failed authentication attempts >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Thu Jul 20 22:30:14 GMT 2006 >Closed-Date: >Last-Modified: >Originator: Petr Rehor >Release: FreeBSD 6.0-RELEASE-c3 i386 >Organization: >Environment: System: FreeBSD charon.rx.cz 6.0-RELEASE-c3 FreeBSD 6.0-RELEASE-c3 #0: Tue Nov 8 20:44:39 UTC >Description: The pam_abl provides auto blacklisting of hosts and users responsible for repeated failed authentication attempts. WWW: http://www.hexten.net/pam_abl/ Generated with FreeBSD Port Tools 0.77 >How-To-Repeat: >Fix: --- pam_abl-0.2.3.shar begins here --- # This is a shell archive. Save it in a file, remove anything before # this line, and then unpack it by entering "sh file". Note, it may # create directories; files and directories will be owned by you and # have default permissions. # # This archive contains: # # pam_abl # pam_abl/files # pam_abl/files/pkg-message.in # pam_abl/files/patch-Makefile # pam_abl/files/patch-pam_abl.h # pam_abl/files/patch-pam_abl.c # pam_abl/files/patch-tools-Makefile # pam_abl/files/patch-conf-pam_abl.conf # pam_abl/files/patch-conf-system-auth # pam_abl/files/patch-doc-index.html # pam_abl/files/patch-doc-pam_abl.html # pam_abl/files/pkg-plist.in # pam_abl/files/pam_abl.8.in # pam_abl/files/pkg-deinstall.in # pam_abl/files/190.clean-pam-abl.in # pam_abl/pkg-descr # pam_abl/distinfo # pam_abl/Makefile # echo c - pam_abl mkdir -p pam_abl > /dev/null 2>&1 echo c - pam_abl/files mkdir -p pam_abl/files > /dev/null 2>&1 echo x - pam_abl/files/pkg-message.in sed 's/^X//' >pam_abl/files/pkg-message.in << 'END-of-pam_abl/files/pkg-message.in' X***************************************************************************** X XRead files in %%DOCSDIR%% for info on how to set up. X X***************************************************************************** X XTo automatically purge pam_abl databases according to purge rules in config Xadd to your /etc/periodic.conf this line: X X daily_clean_pam_abl_enable="YES" X X***************************************************************************** END-of-pam_abl/files/pkg-message.in echo x - pam_abl/files/patch-Makefile sed 's/^X//' >pam_abl/files/patch-Makefile << 'END-of-pam_abl/files/patch-Makefile' X--- Makefile.orig Wed Oct 12 21:22:25 2005 X+++ Makefile Sun Dec 11 00:29:31 2005 X@@ -1,11 +1,11 @@ X # Makefile X # $Id: Makefile,v 1.1.1.1 2005/10/12 19:22:25 tagishandy Exp $ X X-CFLAGS=-Wall -fPIC X-PAMDIR=/lib/security X-CONFDIR=/etc/security X-DBDIR=/var/lib/abl X-LIBS=-ldb -lpthread X+CFLAGS=-Wall -fPIC -I/usr/local/include X+PAMDIR=%%PREFIX%%/lib X+CONFDIR=%%ETCPREFIX%%/etc X+DBDIR=%%PAMABLDB%% X+LIBS=-L/usr/local/lib -ldb -lpthread X MODULE=pam_abl.so X OBJ=pam_abl.o log.o config.o rule.o X SUBDIRS=tools X@@ -14,17 +14,17 @@ X for d in $(SUBDIRS) ; do cd $$d && make $@ && cd .. ; done X X $(MODULE) : $(OBJ) X- ld -x --shared $(LIBS) -o $@ $^ X+ ld -x --shared $(LIBS) -o $(MODULE) $(OBJ) X X clean : X rm -f $(MODULE) $(OBJ) X for d in $(SUBDIRS) ; do cd $$d && make $@ && cd .. ; done X X install : $(MODULE) X- install --mode=755 --strip $(MODULE) $(PAMDIR) X- #install --mode=644 conf/pam_abl.conf $(CONFDIR) X- install -d --mode=755 $(DBDIR) X- for d in t $(SUBDIRS) ; do cd $$d && make $@ && cd .. ; done X+ install -m 755 -s $(MODULE) $(PAMDIR) X+ install -m 644 conf/pam_abl.conf $(CONFDIR)/pam_abl.conf.sample X+ install -d -m 755 $(DBDIR) X+ for d in $(SUBDIRS) ; do cd $$d && make $@ && cd .. ; done X X depend : X cc -MM *.c > deps END-of-pam_abl/files/patch-Makefile echo x - pam_abl/files/patch-pam_abl.h sed 's/^X//' >pam_abl/files/patch-pam_abl.h << 'END-of-pam_abl/files/patch-pam_abl.h' X--- pam_abl.h.orig Wed Oct 12 21:22:27 2005 X+++ pam_abl.h Sat Jan 14 19:25:44 2006 X@@ -51,6 +51,7 @@ X #define __PAM_ABL_H X X #include X+#include X #include X X #include X@@ -74,7 +75,7 @@ X /* User purge time in seconds */ X #define USER_PURGE (HOURSECS * 24) X X-#define CONFIG "/etc/security/pam_abl.conf" X+#define CONFIG "%%ETCPREFIX%%/etc/pam_abl.conf" X X typedef struct abl_string { X struct abl_string *link; END-of-pam_abl/files/patch-pam_abl.h echo x - pam_abl/files/patch-pam_abl.c sed 's/^X//' >pam_abl/files/patch-pam_abl.c << 'END-of-pam_abl/files/patch-pam_abl.c' X--- pam_abl.c.orig Wed Oct 12 21:22:26 2005 X+++ pam_abl.c Sat Jan 14 21:39:41 2006 X@@ -344,7 +344,7 @@ X abl_args *args = data; X log_debug(args, "In cleanup, err is %08x", err); X X- if (err && (err & PAM_DATA_REPLACE) == 0) { X+ if (err == PAM_AUTH_ERR) { X record_attempt(args); X } X config_free(args); X@@ -359,6 +359,12 @@ X int err = PAM_SUCCESS; X X /*log_debug(NULL, "pam_sm_authenticate(), flags=%08x", flags);*/ X+ X+ if (err = pam_get_data(pamh, DATA_NAME, &args), PAM_SUCCESS == err) { X+ record_attempt(args); X+ } else if (PAM_NO_MODULE_DATA != err) { X+ return err; X+ } X X if (args = malloc(sizeof(abl_args)), NULL == args) { X return PAM_BUF_ERR; END-of-pam_abl/files/patch-pam_abl.c echo x - pam_abl/files/patch-tools-Makefile sed 's/^X//' >pam_abl/files/patch-tools-Makefile << 'END-of-pam_abl/files/patch-tools-Makefile' X--- tools/Makefile.orig Wed Oct 12 21:22:27 2005 X+++ tools/Makefile Sun Dec 11 00:22:30 2005 X@@ -1,18 +1,18 @@ X # Makefile X X-CFLAGS=-Wall X-LIBS=-ldb -lpthread X+CFLAGS=-Wall -I/usr/local/include X+LIBS=-L/usr/local/lib -ldb -lpthread X TARGET=pam_abl X OBJ=log.o config.o rule.o pam_abl.o X-INSTDIR=/usr/bin X+INSTDIR=%%PREFIX%%/sbin X X all : $(TARGET) X X $(TARGET) : $(OBJ) X- cc $(LIBS) -o $@ $^ X+ cc $(LIBS) -o $(TARGET) $(OBJ) X X install : $(TARGET) X- install --mode=755 --strip $(TARGET) $(INSTDIR) X+ install -m 755 -s $(TARGET) $(INSTDIR) X X clean : X rm -f $(TARGET) $(OBJ) END-of-pam_abl/files/patch-tools-Makefile echo x - pam_abl/files/patch-conf-pam_abl.conf sed 's/^X//' >pam_abl/files/patch-conf-pam_abl.conf << 'END-of-pam_abl/files/patch-conf-pam_abl.conf' X--- conf/pam_abl.conf.orig Sat Dec 10 23:27:33 2005 X+++ conf/pam_abl.conf Sun Dec 11 00:07:41 2005 X@@ -1,8 +1,8 @@ X-# /etc/security/pam_abl.conf X+# %%ETCPREFIX%%/etc/pam_abl.conf X # debug X-host_db=/var/lib/abl/hosts.db X+host_db=%%PAMABLDB%%/hosts.db X host_purge=2d X host_rule=*:10/1h,30/1d X-user_db=/var/lib/abl/users.db X+user_db=%%PAMABLDB%%/users.db X user_purge=2d X user_rule=!root:10/1h,30/1d END-of-pam_abl/files/patch-conf-pam_abl.conf echo x - pam_abl/files/patch-conf-system-auth sed 's/^X//' >pam_abl/files/patch-conf-system-auth << 'END-of-pam_abl/files/patch-conf-system-auth' X--- conf/system-auth.orig Wed Oct 12 21:22:27 2005 X+++ conf/system-auth Sat Jan 14 22:37:20 2006 X@@ -1,15 +1,24 @@ X-#%PAM-1.0 X-auth required /lib/security/$ISA/pam_env.so X-auth required /lib/security/$ISA/pam_abl.so config=/etc/security/pam_abl.conf X-auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok X-auth required /lib/security/$ISA/pam_deny.so X+# X+# System-wide defaults X+# X X-account required /lib/security/$ISA/pam_unix.so X+# auth X+auth required %%PREFIX%%/lib/pam_abl.so config=%%ETCPREFIX%%/etc/pam_abl.conf X+auth sufficient pam_opie.so no_warn no_fake_prompts X+auth requisite pam_opieaccess.so no_warn allow_local X+#auth sufficient pam_krb5.so no_warn try_first_pass X+#auth sufficient pam_ssh.so no_warn try_first_pass X+auth required pam_unix.so no_warn try_first_pass nullok X X-password required /lib/security/$ISA/pam_cracklib.so retry=3 type= X-password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow X-password required /lib/security/$ISA/pam_deny.so X+# account X+#account required pam_krb5.so X+account required pam_login_access.so X+account required pam_unix.so X X-session required /lib/security/$ISA/pam_limits.so X-session required /lib/security/$ISA/pam_abl.so X-session required /lib/security/$ISA/pam_unix.so X+# session X+#session optional pam_ssh.so X+session required pam_lastlog.so no_fail X+ X+# password X+#password sufficient pam_krb5.so no_warn try_first_pass X+password required pam_unix.so no_warn try_first_pass END-of-pam_abl/files/patch-conf-system-auth echo x - pam_abl/files/patch-doc-index.html sed 's/^X//' >pam_abl/files/patch-doc-index.html << 'END-of-pam_abl/files/patch-doc-index.html' X--- doc/index.html.orig Wed Oct 12 21:22:27 2005 X+++ doc/index.html Sat Jan 14 22:48:16 2006 X@@ -44,7 +44,7 @@ X
Requires Berkeley DB X (tested with 4.3.21 and 4.2.50).
X X- Requires a configuration file (by convention /etc/security/pam_abl.conf)
X+ Requires a configuration file (by convention %%ETCPREFIX%%/etc/pam_abl.conf) X X
Network aware:
X X@@ -171,28 +171,26 @@ X

Typically pam_abl.so is added to the auth stack as a required module just before whatever modules actually peform authentication. Here's a fragment of the PAM config for a production server that is running pam_abl:

X X X- X- X- X- X+ X+ X
authrequired/lib/security/pam_env.so
authrequired/lib/security/pam_abl.so config=/etc/security/pam_abl.conf
authsufficient/lib/security/pam_unix.so likeauth nullok
authrequired/lib/security/pam_deny.so
authrequired%%PREFIX%%/lib/pam_abl.so config=%%ETCPREFIX%%/etc/pam_abl.conf
authrequiredpam_unix.so no_warn try_first_pass nullok
X X-

Although all of accepted arguments can be supplied here they will usually be placed in a separate config file and linked to using the config argument as in the above example. The pam_abl command line tool reads the external config file (/etc/security/pam_abl.conf in this case) to find the databases so in order for it work correctly an external config should be used.

X+

Although all of accepted arguments can be supplied here they will usually be placed in a separate config file and linked to using the config argument as in the above example. The pam_abl command line tool reads the external config file (%%ETCPREFIX%%/etc/pam_abl.conf in this case) to find the databases so in order for it work correctly an external config should be used.

X X X X
Config file syntax:
X X
X-

The config file can contain any arguments that would be supplied via PAM config. In the config file arguments are placed on separate lines. Comments may be included after a '#' and line continuation is possible by placing a back slash at the end of the line to be continued. Here is a sample /etc/security/pam_abl.conf:

X+

The config file can contain any arguments that would be supplied via PAM config. In the config file arguments are placed on separate lines. Comments may be included after a '#' and line continuation is possible by placing a back slash at the end of the line to be continued. Here is a sample %%ETCPREFIX%%/etc/pam_abl.conf:

X X X- X+ X X- X+ X X X- X+ X X X
# /etc/security/pam_abl.conf
# %%ETCPREFIX%%/etc/pam_abl.conf
debug
host_db=/var/lib/abl/hosts.db
host_db=%%PAMABLDB%%/hosts.db
host_purge=2d
host_rule=*:10/1h,30/1d
user_db=/var/lib/abl/users.db
user_db=%%PAMABLDB%%/users.db
user_purge=2d
user_rule=!root:10/1h,30/1d
X@@ -282,21 +280,19 @@ X

Sample PAM config fragment:

X X X- X- X- X- X+ X+ X
authrequired/lib/security/pam_env.so
authrequired/lib/security/pam_abl.so config=/etc/security/pam_abl.conf
authsufficient/lib/security/pam_unix.so likeauth nullok
authrequired/lib/security/pam_deny.so
authrequired%%PREFIX%%/lib/pam_abl.so %%ETCPREFIX%%/etc/pam_abl.conf
authrequiredpam_unix.so no_warn try_first_pass nullok
X X-

Sample /etc/security/pam_abl.conf:

X+

Sample %%ETCPREFIX%%/etc/pam_abl.conf:

X X X- X+ X X- X+ X X X- X+ X X X
# /etc/security/pam_abl.conf
# %%ETCPREFIX%%/etc/pam_abl.conf
debug
host_db=/var/lib/abl/hosts.db
host_db=%%PAMABLDB%%/hosts.db
host_purge=2d
host_rule=*:10/1h,30/1d
user_db=/var/lib/abl/users.db
user_db=%%PAMABLDB%%/users.db
user_purge=2d
user_rule=!root:10/1h,30/1d
END-of-pam_abl/files/patch-doc-index.html echo x - pam_abl/files/patch-doc-pam_abl.html sed 's/^X//' >pam_abl/files/patch-doc-pam_abl.html << 'END-of-pam_abl/files/patch-doc-pam_abl.html' X--- doc/pam_abl.html.orig Wed Oct 12 21:22:27 2005 X+++ doc/pam_abl.html Sat Jan 14 23:00:43 2006 X@@ -15,7 +15,7 @@ X
pam_abl [OPTION] [CONFIG]
X
DESCRIPTION
X
X-

Perform maintenance on the databases used by the pam_abl (auto blacklist) module. CONFIG is the name of the pam_abl config file (default: /etc/security/pam_abl.conf). The config file is read to discover the names of the pam_abl databases and the rules that control purging of old data from them. The following options are available

X+

Perform maintenance on the databases used by the pam_abl (auto blacklist) module. CONFIG is the name of the pam_abl config file (default: %%ETCPREFIX%%/etc/pam_abl.conf). The config file is read to discover the names of the pam_abl databases and the rules that control purging of old data from them. The following options are available

X X X END-of-pam_abl/files/patch-doc-pam_abl.html echo x - pam_abl/files/pkg-plist.in sed 's/^X//' >pam_abl/files/pkg-plist.in << 'END-of-pam_abl/files/pkg-plist.in' X@comment $FreeBSD$ Xetc/pam_abl.conf.sample Xetc/periodic/daily/190.clean-pam-abl Xlib/pam_abl.so Xsbin/pam_abl X@exec mkdir -p %%PAMABLDB%% END-of-pam_abl/files/pkg-plist.in echo x - pam_abl/files/pam_abl.8.in sed 's/^X//' >pam_abl/files/pam_abl.8.in << 'END-of-pam_abl/files/pam_abl.8.in' X.\" X.\" $FreeBSD$ X.\" X.Dd January 14, 2006 X.Dt pam_abl 8 X.Os X.Sh NAME X.Nm pam_abl X.Nd auto blacklist PAM module X.Sh SYNOPSIS X.Ss Auto Blacklist PAM module X.Op Ar service-name X.Ar module-name X.Ar control-flag X.Pa pam_abl X.Op Ar options X.Ss Blacklist maintenance tool X.Nm X.Op Fl h | Fl -help X.Op Fl p | Fl -purge X.Op Fl r | Fl -relative X.Op Fl v | Fl -verbose X.Op Fl -okhost Ns No = Ns Ar host X.Op Fl -okuser Ns No = Ns Ar user X.Op Ar config-file X.Sh DESCRIPTION XThe Auto Blacklist module for PAM, X.Nm Xprovides functionality for only one PAM category: authentication. XIn terms of the X.Ar module-type Xparameter, this is the X.Dq Li auth Xfeature. X.Ss Auto Blacklist PAM Authentication Module X.Nm Xprovides auto blacklisting of hosts and users responsible for repeated Xfailed authentication attempts. Generally configured so that blacklisted Xusers still see normal login prompts but are guaranteed to fail to Xauthenticate. This functionality is only available to services which call XPAM as root. If X.Nm Xis called for uid != 0 it will silently succeed. X XThe following options may be passed to the authentication module: X.Bl -tag -width indent X.It Cm debug X.Xr syslog 3 Xdebugging information at X.Dv LOG_DEBUG Xlevel. X.It Cm expose_account XIgnored. X.It Cm no_warn Xsuppress warning messages to the user. XThese messages include reasons why the user's authentication attempt was Xdeclined. X.It Cm try_first_pass XIgnored. X.It Cm use_first_pass XIgnored. X.It Cm use_mapped_pass XIgnored. X.It Cm config Ns No = Ns Ar config-file XThe configuration file contains additional arguments. In order for the X.Nm Xblacklist maintenance tool to work correctly most of the configuration Xshould be placed in the config file rather than being provided by arguments. XThe format of the config file is described below. X.It Cm host_db Ns No = Ns Ar host-database-file XPath to the Berkeley DB which is used to log the host responsible for failed Xauthentication attempts. XIf host_db is omitted the corresponding auto blacklisting will be disabled. X.It Cm host_purge Ns No = Ns Ar time XDefines how long failed hosts are retained in the host database. XDefaults to 1 day. X.It Cm host_rule Ns No = Ns Ar host-rule XThe rule (see below for format) which defines the conditions under which a Xfailed hosts will be blackisted. X.It Cm user_db Ns No = Ns Ar user-database-file XPath to the Berkeley DB which is used to log the user responsible for failed Xauthentication attempts. XIf user_db is omitted the corresponding auto blacklisting will be disabled. X.It Cm user_purge Ns No = Ns Ar time XDefines how long failed users are retained in the user database. XDefaults to 1 day. X.It Cm user_rule Ns No = Ns Ar user-rule XThe rule (see below for format) which defines the conditions under which a Xfailed users will be blackisted. X.El X.Ss Rules syntax X.Cm host_rule No Cm user_rule Xare the rules which determine the circumstances under which accounts ares Xauto blacklisted. XThe X.Cm host_rule Xis used to block access to hosts that are responsible for excessive Xauthentication failures and the X.Cm user_rule Xis used to disable accounts for which there have been excessive Xauthentication failures. XEach rule consists of a number of space separated X.Sy user clauses Ns No . XA X.Sy user clause Xspecifies the user names and services to match and a set of triggers. XA simple example would be: X.Bd -literal -offset indent X*:10/1h X.Ed X.Pp Xwhich means 'block any user (*) if they are responsible for ten or more Xfailed authentication attempts in the last hour'. XIn place of the '*' which matches any user a list of usernames can be Xsupplied like this: X.Bd -literal -offset indent Xroot|dba|admin:10/1h X.Ed X.Pp Xwhich means 'block the users root, dba and admin if they are responsible Xfor ten or more failed authentication attempts in the last hour'. XYou can also specify a service name to match against like this: X.Bd -literal -offset indent Xroot/sshd|dba/*:3/1d X.Ed X.Pp Xwhich means 'block the users root for service sshd and user dba for any Xservice if they are responsible for three or more failed authentication Xattempts in the last day'. XFinally you can specify multiple triggers like this: X.Bd -literal -offset indent Xroot:10/1h,20/1d X.Ed X.Pp Xwhich means 'block the user root if they are responsible for ten or more Xfailed attempts in the last hour or twenty or more failed attempts in the Xlast day. X.Pp XMultiple rules can be provided separated by spaces like this: X.Bd -literal -offset indent X*:10/1h root:5/1h,10/1d X.Ed X.Pp Xin which case all rules that match a particular user and service will be Xchecked. XThe user or host will be blocked if any of the rule triggers matches. X.Pp XThe sense of the user matching can be inverted by placing a '!' in front Xof the rule so that: X.Bd -literal -offset indent X!root:20/1d X.Ed X.Pp Xis a rule which would match for all users apart from root. X.Pp XIt is important to treat root as a special case in the X.Cm user_rule Xotherwise excessive attempts to authenticate as root will result in the Xroot account being locked out even for valid holders of root credentials. X.Pp XHere is the full syntax for rules: X.Bd -literal -offset indent Xword ::= /[^\\s\\|\\/\\*]+/ Xname ::= word | '*' Xusername ::= name Xservicename ::= name Xuserservice ::= username | username '/' servicename Xnamelist ::= userservice | userservice '|' namelist Xuserspec ::= namelist | '!' namelist Xmultiplier ::= 's' | 'm' | 'h' | 'd' Xnumber ::= /\d+/ Xperiod ::= number | number multiplier Xtrigger ::= number '/' period Xtriglist ::= trigger | trigger ',' triglist Xuserclause ::= userspec ':' triglist Xrule ::= userclause | userclause /\s+/ rule X.Ed X.Pp XFor rules to work correctly X.Cm host_purge No and Cm user_purge Xmust be at least as long as the longest period specified in a corresponding Xrule. XYou may wish to retain information about failed attempts for longer than Xthis so that the X.Nm Xblacklist maintenance tool can report information over a longer period of Xtime. XThe format for this items is a number with an optional multiplier suffix, X's', 'm', 'h' or 'd' which correspond with seconds, minutes, hours and days. XTo specify seven days for example one would use '7d'. XNote that in normal operation X.Nm XPAM module will only purge the logged data for a particular host or user Xif it happens to be updating it, i.e. if that host or user makes another Xfailed attempt. XTo purge all old entries the X.Nm Xblacklist maintenance tool should be used. X.Ss Blacklist maintenance tool XBlacklist maintenance tool X.Nm Xperform maintenance on the databases used by the X.Nm XPAM module. XThe options are as follows: X.Bl -tag -width indent X.It Fl h | Fl -help XPrint help page and exit. X.It Fl p | Fl -purge XPurge databases according to purge rules in config. X.It Fl r | Fl -relative XDisplay times relative to now otherwise absolute times will be displayed. X.It Fl v | Fl -verbose XVerbose output. X.It Fl -okhost Ns No = Ns Ar host-name XUnblock host. X.It Fl -okuser Ns No = Ns Ar user-name XUnblock user. X.It Ar config-file XName of the X.Nm Xconfiguration file (default: %%ETCPREFIX%%/etc/pam_abl.conf). XThe config file is read to discover the names of the X.Nm Xdatabases and the rules that control purging of old data from them. X.El X.Sh EXAMPLES X.Ss Auto Blacklist PAM module XTypically X.Nm XPAM module is added to the auth stack as a required module just before Xwhatever modules actually peform authentication. XHere's a fragment of the PAM config: X.Bd -literal -offset indent Xauth required pam_env Xauth required pam_abl config=%%ETCPREFIX%%/etc/pam_abl.conf Xauth sufficient pam_unix likeauth nullok Xauth required pam_deny X.Ed X.Ss Blacklist maintenance tool XObtain a list of failed hosts and users: X.Bd -literal -offset indent X$ pam_abl X.Ed X.Pp XObtain a full list of failures listing times relative to now: X.Bd -literal -offset indent X$ pam_abl -rv X.Ed X.Pp XPurge old data: X.Bd -literal -offset indent X$ pam_abl -p X.Ed X.Pp XUnblock all example.com hosts and all users: X.Bd -literal -offset indent X$ pam_abl -v --okhost='*.example.com' --okuser='*' X.Ed X.Sh SEE ALSO X.Xr pam.conf 5 , X.Xr pam 8 X.Bd -literal Xhttp://www.hexten.net/pam_abl/ Xhttp://sourceforge.net/project/showfiles.php?group_id=148927 X.Ed X.Sh AUTHORS XWritten by Andy Armstrong . X.Sh BUGS XReport bugs to Andy Armstrong . END-of-pam_abl/files/pam_abl.8.in echo x - pam_abl/files/pkg-deinstall.in sed 's/^X//' >pam_abl/files/pkg-deinstall.in << 'END-of-pam_abl/files/pkg-deinstall.in' X#!/bin/sh X# X# $FreeBSD$ X# X XPATH=/bin:/usr/bin:/usr/sbin X Xcase $2 in XDEINSTALL) X cd ${PKG_PREFIX}/etc || exit 1 X cmp -s -z pam_abl.conf pam_abl.conf.sample && rm pam_abl.conf X rmdir %%PAMABLDB%% 2>/dev/null X ;; XPOST-DEINSTALL) X pam_files="$(grep -lR '^[^#]*pam_abl\.so' /etc/pam.d ${PKG_PREFIX}/etc/pam.d)" X echo "===> post-deinstallation information for $1:" X if [ -n "${pam_files}" ]; then X echo "" X echo " Warning: pam_able remain used for this services:" X for pam_file in ${pam_files}; do X echo " ${pam_file}" X done X fi X if [ -e ${PKG_PREFIX}/etc/pam_abl.conf -o -d %%PAMABLDB%% ]; then X echo "" X echo " To ease updates, the database directory and configuration" X echo " file modified by you were preserved." X echo "" X echo " Please remove them manually if you do not want to use" X echo " pam_abl any longer." X fi X echo "" X ;; X*) X exit 64 X ;; Xesac Xexit 0 END-of-pam_abl/files/pkg-deinstall.in echo x - pam_abl/files/190.clean-pam-abl.in sed 's/^X//' >pam_abl/files/190.clean-pam-abl.in << 'END-of-pam_abl/files/190.clean-pam-abl.in' X#!/bin/sh X# X# $FreeBSD$ X# X# Purge pam_abl databases according to purge rules in config. X# X X# If there is a global system configuration file, suck it in. X# Xif [ -r /etc/defaults/periodic.conf ]; then X . /etc/defaults/periodic.conf X source_periodic_confs Xfi X Xcase "$daily_clean_pam_abl_enable" in X [Yy][Ee][Ss]) X echo "" X echo "Purging pam_abl databases:" X X %%PREFIX%%/sbin/pam_abl -p -v ${daily_clean_pam_abl_config_file} X [ $? -ne 0 ] && rc=3 || rc=0;; X *) rc=0;; Xesac X Xexit $rc END-of-pam_abl/files/190.clean-pam-abl.in echo x - pam_abl/pkg-descr sed 's/^X//' >pam_abl/pkg-descr << 'END-of-pam_abl/pkg-descr' XThe pam_abl provides auto blacklisting of hosts and users Xresponsible for repeated failed authentication attempts. X XWWW: http://www.hexten.net/pam_abl/ END-of-pam_abl/pkg-descr echo x - pam_abl/distinfo sed 's/^X//' >pam_abl/distinfo << 'END-of-pam_abl/distinfo' XMD5 (pam_abl-0.2.3.tar.gz) = fbcf97067e9647fa1d9257d4e6133cba XSIZE (pam_abl-0.2.3.tar.gz) = 19000 END-of-pam_abl/distinfo echo x - pam_abl/Makefile sed 's/^X//' >pam_abl/Makefile << 'END-of-pam_abl/Makefile' X# New ports collection makefile for: pam_abl X# Date created: Nov 6 2005 X# Whom: Petr Rehor X# X# $FreeBSD$ X# X XPORTNAME= pam_abl XPORTVERSION= 0.2.3 XCATEGORIES= security XMASTER_SITES= ${MASTER_SITE_SOURCEFORGE} XMASTER_SITE_SUBDIR= ${PORTNAME:S/_/-/} X XMAINTAINER= prehor@gmail.com XCOMMENT= Blacklisting responsible for repeated failed authentication attempts X XWRKSRC= ${WRKDIR}/${PORTNAME} X XPAMABLDB?= /var/db/pam_abl X XUSE_BDB= 42+ X XSUB_FILES= pkg-deinstall pkg-message pkg-plist pam_abl.8 190.clean-pam-abl XSUB_LIST= PAMABLDB=${PAMABLDB} X XPKGMESSAGE= ${WRKDIR}/pkg-message XPKGDEINSTALL= ${WRKDIR}/pkg-deinstall XPLIST= ${WRKDIR}/pkg-plist X XMAN8= pam_abl.8 X X.if !defined(NOPORTDOCS) XPORTDOCS= * X.endif X X.include X X.if ${PREFIX} == / || ${PREFIX} == /usr XETCPREFIX= X.else XETCPREFIX= ${PREFIX} X.endif XSUB_LIST+= ETCPREFIX=${ETCPREFIX} X XSED_SCRIPT= -e 's||<${BDB_INCLUDE_DIR}/db.h>|' \ X -e 's|-ldb|-l${BDB_LIB_NAME}|' \ X -e 's|%%PREFIX%%|${PREFIX}|' \ X -e 's|%%ETCPREFIX%%|${ETCPREFIX}|' \ X -e 's|%%PAMABLDB%%|${PAMABLDB}|' X Xpost-patch: X.for file in Makefile pam_abl.h conf/pam_abl.conf conf/system-auth doc/index.html doc/pam_abl.html tools/Makefile X @${REINPLACE_CMD} ${SED_SCRIPT} ${WRKSRC}/${file} X.endfor X Xpre-install: X.if !defined(NOPORTDOCS) X @${MKDIR} ${DOCSDIR} X.for file in AUTHORS COPYING Copyright NEWS README THANKS conf/system-auth doc/index.html doc/pam_abl.html doc/copying.html doc/style.css X ${INSTALL_DATA} ${WRKSRC}/${file} ${DOCSDIR} X.endfor X.endif X.if !defined(NO_INSTALL_MANPAGES) X @${MKDIR} ${MAN8PREFIX}/man/man8 X ${INSTALL_MAN} ${WRKDIR}/pam_abl.8 ${MAN8PREFIX}/man/man8/ X.endif X @${MKDIR} ${PREFIX}/etc/periodic/daily X ${INSTALL_SCRIPT} ${WRKDIR}/190.clean-pam-abl ${PREFIX}/etc/periodic/daily/ X Xpost-install: X @${CAT} ${PKGMESSAGE} X X.include END-of-pam_abl/Makefile exit --- pam_abl-0.2.3.shar ends here --- >Release-Note: >Audit-Trail: >Unformatted:
-h, --help