#16 Host based only blocking does not work

open
danta
PAM Module (12)
5
2012-09-12
2010-01-21
Petr Písař
No

I used pam_abl 0.2.3 with following configuration for very long time:

host_db=/var/lib/abl/hosts.db
host_purge=30d
host_rule=*:5/1h

user_db=/var/lib/abl/users.db
user_purge=30d
user_rule=!*:5/1h

The meaning is to block attacking hosts regardless of login name.

However after upgrading to version 0.4.1 it does not work anymore. pam_abl tool reports the IP address and the user are blocked, but I'm able to log in from the address to the user account and II don't get `Blocking access' message in syslog.

If I remove exclamation mark from user_rule, it will block only already blocked account, other accounts could log in from the same blocked host.

If I remove the user_rule line completely, pam_abl module segfaults.

Discussion

  • Chris
    Chris
    2011-04-11

    Was this after deleting the old databases? The new version cannot use the old databases.
    I have this on over 350 servers, and haven't had that problem.

    I realize that this bug is very old, but if it is still an issue, let me know more details about your setup.

     
  • Chris
    Chris
    2011-04-11

    • assigned_to: nobody --> deksai
    • status: open --> pending
     
  • Petr Písař
    Petr Písař
    2011-04-13

    Year ago, I built pam_abl-0.4.1 against pam-1.1.0 and db-4.7.25_p4 and it has not worked. I still have the binary and I can reproduce it even if I remove databases.

    I've just built pam_abl from SVN tip against pam-1.1.3 and db-4.8.30 and this one works.

    I'm going to rebuild 0.4.1 release against current libraries and compare sources possibly.

     
  • Petr Písař
    Petr Písař
    2011-04-13

    • status: pending --> open
     
  • Petr Písař
    Petr Písař
    2011-04-13

    Still the same problem with 0.4.1 rebuilt against latest pam and db.

    In addition, SVN tree, that works for me, contains version 0.3.0. Something is wrong with the SVN repository.

    When experimenting I noticed I got a `Blocking access' message on the first blocked attempt, then the message was missing in syslog and I could log in (from 127.0.0.1 as anybody). pam_abl dump states at the time:

    Failed users:
    petr (7)
    Blocked based on rule [!*]
    Failed hosts:
    127.0.0.1 (7)
    Blocked based on rule [*]

     
  • Chris
    Chris
    2011-12-21

    If you still interested, try this again with the latest release, and let me know if you still have problems.

     
  • Chris
    Chris
    2011-12-21

    • status: open --> pending
     
  • danta
    danta
    2012-08-12

    A new version ( 0.5.0 ) has been released, this is almost a total rewrite. Could you please retest your problem with this version?

    FYI:
    The segfault you receive when not specifying a user_rule has been solved in 0.4.3.1

     
  • danta
    danta
    2012-08-12

    • labels: --> PAM Module
    • assigned_to: deksai --> danta
     
  • Petr Písař
    Petr Písař
    2012-09-12

    With 0.5.0, I observe the same issue as described in ticket #3564436 which is more or less similar to this ticket.

     
  • Petr Písař
    Petr Písař
    2012-09-12

    • status: pending --> open