ports/100635: [NEW PORT] security/pam_abl: Blacklisting responsible for repeated failed authentication attempts
Petr Rehor
prehor at gmail.com
Thu Jul 20 22:30:16 UTC 2006
>Number: 100635
>Category: ports
>Synopsis: [NEW PORT] security/pam_abl: Blacklisting responsible for repeated failed authentication attempts
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Thu Jul 20 22:30:14 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator: Petr Rehor
>Release: FreeBSD 6.0-RELEASE-c3 i386
>Organization:
>Environment:
System: FreeBSD charon.rx.cz 6.0-RELEASE-c3 FreeBSD 6.0-RELEASE-c3 #0: Tue Nov 8 20:44:39 UTC
>Description:
The pam_abl provides auto blacklisting of hosts and users
responsible for repeated failed authentication attempts.
WWW: http://www.hexten.net/pam_abl/
Generated with FreeBSD Port Tools 0.77
>How-To-Repeat:
>Fix:
--- pam_abl-0.2.3.shar begins here ---
# This is a shell archive. Save it in a file, remove anything before
# this line, and then unpack it by entering "sh file". Note, it may
# create directories; files and directories will be owned by you and
# have default permissions.
#
# This archive contains:
#
# pam_abl
# pam_abl/files
# pam_abl/files/pkg-message.in
# pam_abl/files/patch-Makefile
# pam_abl/files/patch-pam_abl.h
# pam_abl/files/patch-pam_abl.c
# pam_abl/files/patch-tools-Makefile
# pam_abl/files/patch-conf-pam_abl.conf
# pam_abl/files/patch-conf-system-auth
# pam_abl/files/patch-doc-index.html
# pam_abl/files/patch-doc-pam_abl.html
# pam_abl/files/pkg-plist.in
# pam_abl/files/pam_abl.8.in
# pam_abl/files/pkg-deinstall.in
# pam_abl/files/190.clean-pam-abl.in
# pam_abl/pkg-descr
# pam_abl/distinfo
# pam_abl/Makefile
#
echo c - pam_abl
mkdir -p pam_abl > /dev/null 2>&1
echo c - pam_abl/files
mkdir -p pam_abl/files > /dev/null 2>&1
echo x - pam_abl/files/pkg-message.in
sed 's/^X//' >pam_abl/files/pkg-message.in << 'END-of-pam_abl/files/pkg-message.in'
X*****************************************************************************
X
XRead files in %%DOCSDIR%% for info on how to set up.
X
X*****************************************************************************
X
XTo automatically purge pam_abl databases according to purge rules in config
Xadd to your /etc/periodic.conf this line:
X
X daily_clean_pam_abl_enable="YES"
X
X*****************************************************************************
END-of-pam_abl/files/pkg-message.in
echo x - pam_abl/files/patch-Makefile
sed 's/^X//' >pam_abl/files/patch-Makefile << 'END-of-pam_abl/files/patch-Makefile'
X--- Makefile.orig Wed Oct 12 21:22:25 2005
X+++ Makefile Sun Dec 11 00:29:31 2005
X@@ -1,11 +1,11 @@
X # Makefile
X # $Id: Makefile,v 1.1.1.1 2005/10/12 19:22:25 tagishandy Exp $
X
X-CFLAGS=-Wall -fPIC
X-PAMDIR=/lib/security
X-CONFDIR=/etc/security
X-DBDIR=/var/lib/abl
X-LIBS=-ldb -lpthread
X+CFLAGS=-Wall -fPIC -I/usr/local/include
X+PAMDIR=%%PREFIX%%/lib
X+CONFDIR=%%ETCPREFIX%%/etc
X+DBDIR=%%PAMABLDB%%
X+LIBS=-L/usr/local/lib -ldb -lpthread
X MODULE=pam_abl.so
X OBJ=pam_abl.o log.o config.o rule.o
X SUBDIRS=tools
X@@ -14,17 +14,17 @@
X for d in $(SUBDIRS) ; do cd $$d && make $@ && cd .. ; done
X
X $(MODULE) : $(OBJ)
X- ld -x --shared $(LIBS) -o $@ $^
X+ ld -x --shared $(LIBS) -o $(MODULE) $(OBJ)
X
X clean :
X rm -f $(MODULE) $(OBJ)
X for d in $(SUBDIRS) ; do cd $$d && make $@ && cd .. ; done
X
X install : $(MODULE)
X- install --mode=755 --strip $(MODULE) $(PAMDIR)
X- #install --mode=644 conf/pam_abl.conf $(CONFDIR)
X- install -d --mode=755 $(DBDIR)
X- for d in t $(SUBDIRS) ; do cd $$d && make $@ && cd .. ; done
X+ install -m 755 -s $(MODULE) $(PAMDIR)
X+ install -m 644 conf/pam_abl.conf $(CONFDIR)/pam_abl.conf.sample
X+ install -d -m 755 $(DBDIR)
X+ for d in $(SUBDIRS) ; do cd $$d && make $@ && cd .. ; done
X
X depend :
X cc -MM *.c > deps
END-of-pam_abl/files/patch-Makefile
echo x - pam_abl/files/patch-pam_abl.h
sed 's/^X//' >pam_abl/files/patch-pam_abl.h << 'END-of-pam_abl/files/patch-pam_abl.h'
X--- pam_abl.h.orig Wed Oct 12 21:22:27 2005
X+++ pam_abl.h Sat Jan 14 19:25:44 2006
X@@ -51,6 +51,7 @@
X #define __PAM_ABL_H
X
X #include <security/pam_modules.h>
X+#include <security/pam_appl.h>
X #include <db.h>
X
X #include <ctype.h>
X@@ -74,7 +75,7 @@
X /* User purge time in seconds */
X #define USER_PURGE (HOURSECS * 24)
X
X-#define CONFIG "/etc/security/pam_abl.conf"
X+#define CONFIG "%%ETCPREFIX%%/etc/pam_abl.conf"
X
X typedef struct abl_string {
X struct abl_string *link;
END-of-pam_abl/files/patch-pam_abl.h
echo x - pam_abl/files/patch-pam_abl.c
sed 's/^X//' >pam_abl/files/patch-pam_abl.c << 'END-of-pam_abl/files/patch-pam_abl.c'
X--- pam_abl.c.orig Wed Oct 12 21:22:26 2005
X+++ pam_abl.c Sat Jan 14 21:39:41 2006
X@@ -344,7 +344,7 @@
X abl_args *args = data;
X log_debug(args, "In cleanup, err is %08x", err);
X
X- if (err && (err & PAM_DATA_REPLACE) == 0) {
X+ if (err == PAM_AUTH_ERR) {
X record_attempt(args);
X }
X config_free(args);
X@@ -359,6 +359,12 @@
X int err = PAM_SUCCESS;
X
X /*log_debug(NULL, "pam_sm_authenticate(), flags=%08x", flags);*/
X+
X+ if (err = pam_get_data(pamh, DATA_NAME, &args), PAM_SUCCESS == err) {
X+ record_attempt(args);
X+ } else if (PAM_NO_MODULE_DATA != err) {
X+ return err;
X+ }
X
X if (args = malloc(sizeof(abl_args)), NULL == args) {
X return PAM_BUF_ERR;
END-of-pam_abl/files/patch-pam_abl.c
echo x - pam_abl/files/patch-tools-Makefile
sed 's/^X//' >pam_abl/files/patch-tools-Makefile << 'END-of-pam_abl/files/patch-tools-Makefile'
X--- tools/Makefile.orig Wed Oct 12 21:22:27 2005
X+++ tools/Makefile Sun Dec 11 00:22:30 2005
X@@ -1,18 +1,18 @@
X # Makefile
X
X-CFLAGS=-Wall
X-LIBS=-ldb -lpthread
X+CFLAGS=-Wall -I/usr/local/include
X+LIBS=-L/usr/local/lib -ldb -lpthread
X TARGET=pam_abl
X OBJ=log.o config.o rule.o pam_abl.o
X-INSTDIR=/usr/bin
X+INSTDIR=%%PREFIX%%/sbin
X
X all : $(TARGET)
X
X $(TARGET) : $(OBJ)
X- cc $(LIBS) -o $@ $^
X+ cc $(LIBS) -o $(TARGET) $(OBJ)
X
X install : $(TARGET)
X- install --mode=755 --strip $(TARGET) $(INSTDIR)
X+ install -m 755 -s $(TARGET) $(INSTDIR)
X
X clean :
X rm -f $(TARGET) $(OBJ)
END-of-pam_abl/files/patch-tools-Makefile
echo x - pam_abl/files/patch-conf-pam_abl.conf
sed 's/^X//' >pam_abl/files/patch-conf-pam_abl.conf << 'END-of-pam_abl/files/patch-conf-pam_abl.conf'
X--- conf/pam_abl.conf.orig Sat Dec 10 23:27:33 2005
X+++ conf/pam_abl.conf Sun Dec 11 00:07:41 2005
X@@ -1,8 +1,8 @@
X-# /etc/security/pam_abl.conf
X+# %%ETCPREFIX%%/etc/pam_abl.conf
X # debug
X-host_db=/var/lib/abl/hosts.db
X+host_db=%%PAMABLDB%%/hosts.db
X host_purge=2d
X host_rule=*:10/1h,30/1d
X-user_db=/var/lib/abl/users.db
X+user_db=%%PAMABLDB%%/users.db
X user_purge=2d
X user_rule=!root:10/1h,30/1d
END-of-pam_abl/files/patch-conf-pam_abl.conf
echo x - pam_abl/files/patch-conf-system-auth
sed 's/^X//' >pam_abl/files/patch-conf-system-auth << 'END-of-pam_abl/files/patch-conf-system-auth'
X--- conf/system-auth.orig Wed Oct 12 21:22:27 2005
X+++ conf/system-auth Sat Jan 14 22:37:20 2006
X@@ -1,15 +1,24 @@
X-#%PAM-1.0
X-auth required /lib/security/$ISA/pam_env.so
X-auth required /lib/security/$ISA/pam_abl.so config=/etc/security/pam_abl.conf
X-auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
X-auth required /lib/security/$ISA/pam_deny.so
X+#
X+# System-wide defaults
X+#
X
X-account required /lib/security/$ISA/pam_unix.so
X+# auth
X+auth required %%PREFIX%%/lib/pam_abl.so config=%%ETCPREFIX%%/etc/pam_abl.conf
X+auth sufficient pam_opie.so no_warn no_fake_prompts
X+auth requisite pam_opieaccess.so no_warn allow_local
X+#auth sufficient pam_krb5.so no_warn try_first_pass
X+#auth sufficient pam_ssh.so no_warn try_first_pass
X+auth required pam_unix.so no_warn try_first_pass nullok
X
X-password required /lib/security/$ISA/pam_cracklib.so retry=3 type=
X-password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
X-password required /lib/security/$ISA/pam_deny.so
X+# account
X+#account required pam_krb5.so
X+account required pam_login_access.so
X+account required pam_unix.so
X
X-session required /lib/security/$ISA/pam_limits.so
X-session required /lib/security/$ISA/pam_abl.so
X-session required /lib/security/$ISA/pam_unix.so
X+# session
X+#session optional pam_ssh.so
X+session required pam_lastlog.so no_fail
X+
X+# password
X+#password sufficient pam_krb5.so no_warn try_first_pass
X+password required pam_unix.so no_warn try_first_pass
END-of-pam_abl/files/patch-conf-system-auth
echo x - pam_abl/files/patch-doc-index.html
sed 's/^X//' >pam_abl/files/patch-doc-index.html << 'END-of-pam_abl/files/patch-doc-index.html'
X--- doc/index.html.orig Wed Oct 12 21:22:27 2005
X+++ doc/index.html Sat Jan 14 22:48:16 2006
X@@ -44,7 +44,7 @@
X <dd>Requires <a href="http://www.sleepycat.com/products/db.shtml">Berkeley DB</a>
X (tested with 4.3.21 and 4.2.50).<br />
X
X- Requires a configuration file (by convention /etc/security/pam_abl.conf)</dd>
X+ Requires a configuration file (by convention %%ETCPREFIX%%/etc/pam_abl.conf)</dd>
X
X <dt>Network aware:</dt>
X
X@@ -171,28 +171,26 @@
X <p>Typically pam_abl.so is added to the auth stack as a required module just before whatever modules actually peform authentication. Here's a fragment of the PAM config for a production server that is running pam_abl:</p>
X
X <table class="config">
X- <tr><td>auth</td><td>required</td><td>/lib/security/pam_env.so</td></tr>
X- <tr><td>auth</td><td>required</td><td>/lib/security/pam_abl.so config=/etc/security/pam_abl.conf</td></tr>
X- <tr><td>auth</td><td>sufficient</td><td>/lib/security/pam_unix.so likeauth nullok</td></tr>
X- <tr><td>auth</td><td>required</td><td>/lib/security/pam_deny.so</td></tr>
X+ <tr><td>auth</td><td>required</td><td>%%PREFIX%%/lib/pam_abl.so config=%%ETCPREFIX%%/etc/pam_abl.conf</td></tr>
X+ <tr><td>auth</td><td>required</td><td>pam_unix.so no_warn try_first_pass nullok</td></tr>
X </table>
X
X- <p>Although all of accepted arguments can be supplied here they will usually be placed in a separate config file and linked to using the config argument as in the above example. The <a href="pam_abl.html">pam_abl command line tool</a> reads the external config file (/etc/security/pam_abl.conf in this case) to find the databases so in order for it work correctly an external config should be used.</p>
X+ <p>Although all of accepted arguments can be supplied here they will usually be placed in a separate config file and linked to using the config argument as in the above example. The <a href="pam_abl.html">pam_abl command line tool</a> reads the external config file (%%ETCPREFIX%%/etc/pam_abl.conf in this case) to find the databases so in order for it work correctly an external config should be used.</p>
X
X </dd>
X
X <dt>Config file syntax:</dt>
X
X <dd>
X- <p>The config file can contain any arguments that would be supplied via PAM config. In the config file arguments are placed on separate lines. Comments may be included after a '#' and line continuation is possible by placing a back slash at the end of the line to be continued. Here is a sample /etc/security/pam_abl.conf:</p>
X+ <p>The config file can contain any arguments that would be supplied via PAM config. In the config file arguments are placed on separate lines. Comments may be included after a '#' and line continuation is possible by placing a back slash at the end of the line to be continued. Here is a sample %%ETCPREFIX%%/etc/pam_abl.conf:</p>
X
X <table class="config">
X- <tr><td># /etc/security/pam_abl.conf</td></tr>
X+ <tr><td># %%ETCPREFIX%%/etc/pam_abl.conf</td></tr>
X <tr><td>debug</td></tr>
X- <tr><td>host_db=/var/lib/abl/hosts.db</td></tr>
X+ <tr><td>host_db=%%PAMABLDB%%/hosts.db</td></tr>
X <tr><td>host_purge=2d</td></tr>
X <tr><td>host_rule=*:10/1h,30/1d</td></tr>
X- <tr><td>user_db=/var/lib/abl/users.db</td></tr>
X+ <tr><td>user_db=%%PAMABLDB%%/users.db</td></tr>
X <tr><td>user_purge=2d</td></tr>
X <tr><td>user_rule=!root:10/1h,30/1d</td></tr>
X </table>
X@@ -282,21 +280,19 @@
X <p>Sample PAM config fragment:</p>
X
X <table class="config">
X- <tr><td>auth</td><td>required</td><td>/lib/security/pam_env.so</td></tr>
X- <tr><td>auth</td><td>required</td><td>/lib/security/pam_abl.so config=/etc/security/pam_abl.conf</td></tr>
X- <tr><td>auth</td><td>sufficient</td><td>/lib/security/pam_unix.so likeauth nullok</td></tr>
X- <tr><td>auth</td><td>required</td><td>/lib/security/pam_deny.so</td></tr>
X+ <tr><td>auth</td><td>required</td><td>%%PREFIX%%/lib/pam_abl.so %%ETCPREFIX%%/etc/pam_abl.conf</td></tr>
X+ <tr><td>auth</td><td>required</td><td>pam_unix.so no_warn try_first_pass nullok</td></tr>
X </table>
X
X- <p>Sample /etc/security/pam_abl.conf:</p>
X+ <p>Sample %%ETCPREFIX%%/etc/pam_abl.conf:</p>
X
X <table class="config">
X- <tr><td># /etc/security/pam_abl.conf</td></tr>
X+ <tr><td># %%ETCPREFIX%%/etc/pam_abl.conf</td></tr>
X <tr><td>debug</td></tr>
X- <tr><td>host_db=/var/lib/abl/hosts.db</td></tr>
X+ <tr><td>host_db=%%PAMABLDB%%/hosts.db</td></tr>
X <tr><td>host_purge=2d</td></tr>
X <tr><td>host_rule=*:10/1h,30/1d</td></tr>
X- <tr><td>user_db=/var/lib/abl/users.db</td></tr>
X+ <tr><td>user_db=%%PAMABLDB%%/users.db</td></tr>
X <tr><td>user_purge=2d</td></tr>
X <tr><td>user_rule=!root:10/1h,30/1d</td></tr>
X </table>
END-of-pam_abl/files/patch-doc-index.html
echo x - pam_abl/files/patch-doc-pam_abl.html
sed 's/^X//' >pam_abl/files/patch-doc-pam_abl.html << 'END-of-pam_abl/files/patch-doc-pam_abl.html'
X--- doc/pam_abl.html.orig Wed Oct 12 21:22:27 2005
X+++ doc/pam_abl.html Sat Jan 14 23:00:43 2006
X@@ -15,7 +15,7 @@
X <dd>pam_abl [OPTION] [CONFIG]</dd>
X <dt>DESCRIPTION</dt>
X <dd>
X- <p>Perform maintenance on the databases used by the pam_abl (auto blacklist) module. CONFIG is the name of the pam_abl config file (default: /etc/security/pam_abl.conf). The config file is read to discover the names of the pam_abl databases and the rules that control purging of old data from them. The following options are available</p>
X+ <p>Perform maintenance on the databases used by the pam_abl (auto blacklist) module. CONFIG is the name of the pam_abl config file (default: %%ETCPREFIX%%/etc/pam_abl.conf). The config file is read to discover the names of the pam_abl databases and the rules that control purging of old data from them. The following options are available</p>
X <table>
X <tr>
X <td>-h, --help</td>
END-of-pam_abl/files/patch-doc-pam_abl.html
echo x - pam_abl/files/pkg-plist.in
sed 's/^X//' >pam_abl/files/pkg-plist.in << 'END-of-pam_abl/files/pkg-plist.in'
X at comment $FreeBSD$
Xetc/pam_abl.conf.sample
Xetc/periodic/daily/190.clean-pam-abl
Xlib/pam_abl.so
Xsbin/pam_abl
X at exec mkdir -p %%PAMABLDB%%
END-of-pam_abl/files/pkg-plist.in
echo x - pam_abl/files/pam_abl.8.in
sed 's/^X//' >pam_abl/files/pam_abl.8.in << 'END-of-pam_abl/files/pam_abl.8.in'
X.\"
X.\" $FreeBSD$
X.\"
X.Dd January 14, 2006
X.Dt pam_abl 8
X.Os
X.Sh NAME
X.Nm pam_abl
X.Nd auto blacklist PAM module
X.Sh SYNOPSIS
X.Ss Auto Blacklist PAM module
X.Op Ar service-name
X.Ar module-name
X.Ar control-flag
X.Pa pam_abl
X.Op Ar options
X.Ss Blacklist maintenance tool
X.Nm
X.Op Fl h | Fl -help
X.Op Fl p | Fl -purge
X.Op Fl r | Fl -relative
X.Op Fl v | Fl -verbose
X.Op Fl -okhost Ns No = Ns Ar host
X.Op Fl -okuser Ns No = Ns Ar user
X.Op Ar config-file
X.Sh DESCRIPTION
XThe Auto Blacklist module for PAM,
X.Nm
Xprovides functionality for only one PAM category: authentication.
XIn terms of the
X.Ar module-type
Xparameter, this is the
X.Dq Li auth
Xfeature.
X.Ss Auto Blacklist PAM Authentication Module
X.Nm
Xprovides auto blacklisting of hosts and users responsible for repeated
Xfailed authentication attempts. Generally configured so that blacklisted
Xusers still see normal login prompts but are guaranteed to fail to
Xauthenticate. This functionality is only available to services which call
XPAM as root. If
X.Nm
Xis called for uid != 0 it will silently succeed.
X
XThe following options may be passed to the authentication module:
X.Bl -tag -width indent
X.It Cm debug
X.Xr syslog 3
Xdebugging information at
X.Dv LOG_DEBUG
Xlevel.
X.It Cm expose_account
XIgnored.
X.It Cm no_warn
Xsuppress warning messages to the user.
XThese messages include reasons why the user's authentication attempt was
Xdeclined.
X.It Cm try_first_pass
XIgnored.
X.It Cm use_first_pass
XIgnored.
X.It Cm use_mapped_pass
XIgnored.
X.It Cm config Ns No = Ns Ar config-file
XThe configuration file contains additional arguments. In order for the
X.Nm
Xblacklist maintenance tool to work correctly most of the configuration
Xshould be placed in the config file rather than being provided by arguments.
XThe format of the config file is described below.
X.It Cm host_db Ns No = Ns Ar host-database-file
XPath to the Berkeley DB which is used to log the host responsible for failed
Xauthentication attempts.
XIf host_db is omitted the corresponding auto blacklisting will be disabled.
X.It Cm host_purge Ns No = Ns Ar time
XDefines how long failed hosts are retained in the host database.
XDefaults to 1 day.
X.It Cm host_rule Ns No = Ns Ar host-rule
XThe rule (see below for format) which defines the conditions under which a
Xfailed hosts will be blackisted.
X.It Cm user_db Ns No = Ns Ar user-database-file
XPath to the Berkeley DB which is used to log the user responsible for failed
Xauthentication attempts.
XIf user_db is omitted the corresponding auto blacklisting will be disabled.
X.It Cm user_purge Ns No = Ns Ar time
XDefines how long failed users are retained in the user database.
XDefaults to 1 day.
X.It Cm user_rule Ns No = Ns Ar user-rule
XThe rule (see below for format) which defines the conditions under which a
Xfailed users will be blackisted.
X.El
X.Ss Rules syntax
X.Cm host_rule No Cm user_rule
Xare the rules which determine the circumstances under which accounts ares
Xauto blacklisted.
XThe
X.Cm host_rule
Xis used to block access to hosts that are responsible for excessive
Xauthentication failures and the
X.Cm user_rule
Xis used to disable accounts for which there have been excessive
Xauthentication failures.
XEach rule consists of a number of space separated
X.Sy user clauses Ns No .
XA
X.Sy user clause
Xspecifies the user names and services to match and a set of triggers.
XA simple example would be:
X.Bd -literal -offset indent
X*:10/1h
X.Ed
X.Pp
Xwhich means 'block any user (*) if they are responsible for ten or more
Xfailed authentication attempts in the last hour'.
XIn place of the '*' which matches any user a list of usernames can be
Xsupplied like this:
X.Bd -literal -offset indent
Xroot|dba|admin:10/1h
X.Ed
X.Pp
Xwhich means 'block the users root, dba and admin if they are responsible
Xfor ten or more failed authentication attempts in the last hour'.
XYou can also specify a service name to match against like this:
X.Bd -literal -offset indent
Xroot/sshd|dba/*:3/1d
X.Ed
X.Pp
Xwhich means 'block the users root for service sshd and user dba for any
Xservice if they are responsible for three or more failed authentication
Xattempts in the last day'.
XFinally you can specify multiple triggers like this:
X.Bd -literal -offset indent
Xroot:10/1h,20/1d
X.Ed
X.Pp
Xwhich means 'block the user root if they are responsible for ten or more
Xfailed attempts in the last hour or twenty or more failed attempts in the
Xlast day.
X.Pp
XMultiple rules can be provided separated by spaces like this:
X.Bd -literal -offset indent
X*:10/1h root:5/1h,10/1d
X.Ed
X.Pp
Xin which case all rules that match a particular user and service will be
Xchecked.
XThe user or host will be blocked if any of the rule triggers matches.
X.Pp
XThe sense of the user matching can be inverted by placing a '!' in front
Xof the rule so that:
X.Bd -literal -offset indent
X!root:20/1d
X.Ed
X.Pp
Xis a rule which would match for all users apart from root.
X.Pp
XIt is important to treat root as a special case in the
X.Cm user_rule
Xotherwise excessive attempts to authenticate as root will result in the
Xroot account being locked out even for valid holders of root credentials.
X.Pp
XHere is the full syntax for rules:
X.Bd -literal -offset indent
Xword ::= /[^\\s\\|\\/\\*]+/
Xname ::= word | '*'
Xusername ::= name
Xservicename ::= name
Xuserservice ::= username | username '/' servicename
Xnamelist ::= userservice | userservice '|' namelist
Xuserspec ::= namelist | '!' namelist
Xmultiplier ::= 's' | 'm' | 'h' | 'd'
Xnumber ::= /\d+/
Xperiod ::= number | number multiplier
Xtrigger ::= number '/' period
Xtriglist ::= trigger | trigger ',' triglist
Xuserclause ::= userspec ':' triglist
Xrule ::= userclause | userclause /\s+/ rule
X.Ed
X.Pp
XFor rules to work correctly
X.Cm host_purge No and Cm user_purge
Xmust be at least as long as the longest period specified in a corresponding
Xrule.
XYou may wish to retain information about failed attempts for longer than
Xthis so that the
X.Nm
Xblacklist maintenance tool can report information over a longer period of
Xtime.
XThe format for this items is a number with an optional multiplier suffix,
X's', 'm', 'h' or 'd' which correspond with seconds, minutes, hours and days.
XTo specify seven days for example one would use '7d'.
XNote that in normal operation
X.Nm
XPAM module will only purge the logged data for a particular host or user
Xif it happens to be updating it, i.e. if that host or user makes another
Xfailed attempt.
XTo purge all old entries the
X.Nm
Xblacklist maintenance tool should be used.
X.Ss Blacklist maintenance tool
XBlacklist maintenance tool
X.Nm
Xperform maintenance on the databases used by the
X.Nm
XPAM module.
XThe options are as follows:
X.Bl -tag -width indent
X.It Fl h | Fl -help
XPrint help page and exit.
X.It Fl p | Fl -purge
XPurge databases according to purge rules in config.
X.It Fl r | Fl -relative
XDisplay times relative to now otherwise absolute times will be displayed.
X.It Fl v | Fl -verbose
XVerbose output.
X.It Fl -okhost Ns No = Ns Ar host-name
XUnblock host.
X.It Fl -okuser Ns No = Ns Ar user-name
XUnblock user.
X.It Ar config-file
XName of the
X.Nm
Xconfiguration file (default: %%ETCPREFIX%%/etc/pam_abl.conf).
XThe config file is read to discover the names of the
X.Nm
Xdatabases and the rules that control purging of old data from them.
X.El
X.Sh EXAMPLES
X.Ss Auto Blacklist PAM module
XTypically
X.Nm
XPAM module is added to the auth stack as a required module just before
Xwhatever modules actually peform authentication.
XHere's a fragment of the PAM config:
X.Bd -literal -offset indent
Xauth required pam_env
Xauth required pam_abl config=%%ETCPREFIX%%/etc/pam_abl.conf
Xauth sufficient pam_unix likeauth nullok
Xauth required pam_deny
X.Ed
X.Ss Blacklist maintenance tool
XObtain a list of failed hosts and users:
X.Bd -literal -offset indent
X$ pam_abl
X.Ed
X.Pp
XObtain a full list of failures listing times relative to now:
X.Bd -literal -offset indent
X$ pam_abl -rv
X.Ed
X.Pp
XPurge old data:
X.Bd -literal -offset indent
X$ pam_abl -p
X.Ed
X.Pp
XUnblock all example.com hosts and all users:
X.Bd -literal -offset indent
X$ pam_abl -v --okhost='*.example.com' --okuser='*'
X.Ed
X.Sh SEE ALSO
X.Xr pam.conf 5 ,
X.Xr pam 8
X.Bd -literal
Xhttp://www.hexten.net/pam_abl/
Xhttp://sourceforge.net/project/showfiles.php?group_id=148927
X.Ed
X.Sh AUTHORS
XWritten by Andy Armstrong <andy at hexten.net>.
X.Sh BUGS
XReport bugs to Andy Armstrong <andy at hexten.net>.
END-of-pam_abl/files/pam_abl.8.in
echo x - pam_abl/files/pkg-deinstall.in
sed 's/^X//' >pam_abl/files/pkg-deinstall.in << 'END-of-pam_abl/files/pkg-deinstall.in'
X#!/bin/sh
X#
X# $FreeBSD$
X#
X
XPATH=/bin:/usr/bin:/usr/sbin
X
Xcase $2 in
XDEINSTALL)
X cd ${PKG_PREFIX}/etc || exit 1
X cmp -s -z pam_abl.conf pam_abl.conf.sample && rm pam_abl.conf
X rmdir %%PAMABLDB%% 2>/dev/null
X ;;
XPOST-DEINSTALL)
X pam_files="$(grep -lR '^[^#]*pam_abl\.so' /etc/pam.d ${PKG_PREFIX}/etc/pam.d)"
X echo "===> post-deinstallation information for $1:"
X if [ -n "${pam_files}" ]; then
X echo ""
X echo " Warning: pam_able remain used for this services:"
X for pam_file in ${pam_files}; do
X echo " ${pam_file}"
X done
X fi
X if [ -e ${PKG_PREFIX}/etc/pam_abl.conf -o -d %%PAMABLDB%% ]; then
X echo ""
X echo " To ease updates, the database directory and configuration"
X echo " file modified by you were preserved."
X echo ""
X echo " Please remove them manually if you do not want to use"
X echo " pam_abl any longer."
X fi
X echo ""
X ;;
X*)
X exit 64
X ;;
Xesac
Xexit 0
END-of-pam_abl/files/pkg-deinstall.in
echo x - pam_abl/files/190.clean-pam-abl.in
sed 's/^X//' >pam_abl/files/190.clean-pam-abl.in << 'END-of-pam_abl/files/190.clean-pam-abl.in'
X#!/bin/sh
X#
X# $FreeBSD$
X#
X# Purge pam_abl databases according to purge rules in config.
X#
X
X# If there is a global system configuration file, suck it in.
X#
Xif [ -r /etc/defaults/periodic.conf ]; then
X . /etc/defaults/periodic.conf
X source_periodic_confs
Xfi
X
Xcase "$daily_clean_pam_abl_enable" in
X [Yy][Ee][Ss])
X echo ""
X echo "Purging pam_abl databases:"
X
X %%PREFIX%%/sbin/pam_abl -p -v ${daily_clean_pam_abl_config_file}
X [ $? -ne 0 ] && rc=3 || rc=0;;
X *) rc=0;;
Xesac
X
Xexit $rc
END-of-pam_abl/files/190.clean-pam-abl.in
echo x - pam_abl/pkg-descr
sed 's/^X//' >pam_abl/pkg-descr << 'END-of-pam_abl/pkg-descr'
XThe pam_abl provides auto blacklisting of hosts and users
Xresponsible for repeated failed authentication attempts.
X
XWWW: http://www.hexten.net/pam_abl/
END-of-pam_abl/pkg-descr
echo x - pam_abl/distinfo
sed 's/^X//' >pam_abl/distinfo << 'END-of-pam_abl/distinfo'
XMD5 (pam_abl-0.2.3.tar.gz) = fbcf97067e9647fa1d9257d4e6133cba
XSIZE (pam_abl-0.2.3.tar.gz) = 19000
END-of-pam_abl/distinfo
echo x - pam_abl/Makefile
sed 's/^X//' >pam_abl/Makefile << 'END-of-pam_abl/Makefile'
X# New ports collection makefile for: pam_abl
X# Date created: Nov 6 2005
X# Whom: Petr Rehor <prehor at gmail.com>
X#
X# $FreeBSD$
X#
X
XPORTNAME= pam_abl
XPORTVERSION= 0.2.3
XCATEGORIES= security
XMASTER_SITES= ${MASTER_SITE_SOURCEFORGE}
XMASTER_SITE_SUBDIR= ${PORTNAME:S/_/-/}
X
XMAINTAINER= prehor at gmail.com
XCOMMENT= Blacklisting responsible for repeated failed authentication attempts
X
XWRKSRC= ${WRKDIR}/${PORTNAME}
X
XPAMABLDB?= /var/db/pam_abl
X
XUSE_BDB= 42+
X
XSUB_FILES= pkg-deinstall pkg-message pkg-plist pam_abl.8 190.clean-pam-abl
XSUB_LIST= PAMABLDB=${PAMABLDB}
X
XPKGMESSAGE= ${WRKDIR}/pkg-message
XPKGDEINSTALL= ${WRKDIR}/pkg-deinstall
XPLIST= ${WRKDIR}/pkg-plist
X
XMAN8= pam_abl.8
X
X.if !defined(NOPORTDOCS)
XPORTDOCS= *
X.endif
X
X.include <bsd.port.pre.mk>
X
X.if ${PREFIX} == / || ${PREFIX} == /usr
XETCPREFIX=
X.else
XETCPREFIX= ${PREFIX}
X.endif
XSUB_LIST+= ETCPREFIX=${ETCPREFIX}
X
XSED_SCRIPT= -e 's|<db.h>|<${BDB_INCLUDE_DIR}/db.h>|' \
X -e 's|-ldb|-l${BDB_LIB_NAME}|' \
X -e 's|%%PREFIX%%|${PREFIX}|' \
X -e 's|%%ETCPREFIX%%|${ETCPREFIX}|' \
X -e 's|%%PAMABLDB%%|${PAMABLDB}|'
X
Xpost-patch:
X.for file in Makefile pam_abl.h conf/pam_abl.conf conf/system-auth doc/index.html doc/pam_abl.html tools/Makefile
X @${REINPLACE_CMD} ${SED_SCRIPT} ${WRKSRC}/${file}
X.endfor
X
Xpre-install:
X.if !defined(NOPORTDOCS)
X @${MKDIR} ${DOCSDIR}
X.for file in AUTHORS COPYING Copyright NEWS README THANKS conf/system-auth doc/index.html doc/pam_abl.html doc/copying.html doc/style.css
X ${INSTALL_DATA} ${WRKSRC}/${file} ${DOCSDIR}
X.endfor
X.endif
X.if !defined(NO_INSTALL_MANPAGES)
X @${MKDIR} ${MAN8PREFIX}/man/man8
X ${INSTALL_MAN} ${WRKDIR}/pam_abl.8 ${MAN8PREFIX}/man/man8/
X.endif
X @${MKDIR} ${PREFIX}/etc/periodic/daily
X ${INSTALL_SCRIPT} ${WRKDIR}/190.clean-pam-abl ${PREFIX}/etc/periodic/daily/
X
Xpost-install:
X @${CAT} ${PKGMESSAGE}
X
X.include <bsd.port.post.mk>
END-of-pam_abl/Makefile
exit
--- pam_abl-0.2.3.shar ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list