What is PAM ABL?

 

pam_abl is a pam module designed to automatically block hosts which are attempting a brute force attack. Brute force attacks are an unsophisticated way to find authentication credentials. Basically, a computer is setup to try all kinds of user names and password combinations until one works. It may sound fairly far fetched, but it does actually work. Many system accounts have common user names. Passwords are also easily guessable in many situations.

pam_abl is able to protect any service which uses it for authentication. It works on the assumption that an attacker won't get the password right without a lot of trying. It watches for attacks by counting how many times a certain user or host tries to log into the service unsuccessfully. the host or user name is recorded along with the service being attacked. Optionally, the system can also run user defined scripts when this happens, like updating a firewall etc. After that point, it will be impossible for that user or host to successfully log in. The attacker can keep trying as much as he wants, but will never find a way to login with his current method.

After a configured amount of time without any attempts, the user account or remote host will be allowed to log in again. When this happens, there is another opportunity to run system commands.

Command line interface

Although pam_abl is a PAM module, you can also use it in applications that are not PAM enabled (eg. an FTP server using a custom authentication method to validate virtual users). For these situations, there is a also a command line (scriptable) interface to all the data in the database. This allows sharing of authentication failure data between PAM applications and non-PAM applications. It makes it fairly easy for a system administrator to manage or manipluate the system.