Solved

configure sshblack installation settings

Posted on 2006-06-30
8
497 Views
Last Modified: 2012-06-22
Hi,

Im trying to set up sshblack (http://www.pettingers.org/code/sshblack.html) which is an automatic blacklisting program to stop hackers.  My knowledge of linux is pretty limited and i suspect that the answer is obvious.

I have sshblack up and running but when trying to complete the howto from (ttp://wiki.oss-watch.ac.uk/InstallingSshblack) i have got to the point where the perl script  on thier site has been copied and all the correct paths set. the following instructions are:

[root@luggage sshblack]# cp sshblack /etc/init.d
[root@luggage sshblack]# ls -al /etc/init.d/sshblack
-rwxr-xr-x  1 root root 1863 Dec 11 15:03 /etc/init.d/sshblack
[root@luggage sshblack]# chkconfig --add sshblack
[root@luggage sshblack]# chkconfig --list sshblack
sshblack        0:off   1:off   2:on    3:on    4:on    5:on    6:off

on my server:
[root@vpstream init.d]# ls -al /etc/init.d/sshblack
-rw-r--r--    1 root     root         2893 Jul  1 13:07 /etc/init.d/sshblack
so i chmod to 755  and made it the same as their example

the problem i want answered is on my server  2:off is set to off.
[root@vpstream init.d]# chkconfig --list sshblack
sshblack        0:off   1:off   2:off   3:on    4:on    5:on    6:off

I would like to know how to turn this on. (i suspect it is as simple and obvious as the chmod which wasnt included in the instructions)

And also:
service sshblack restart
is supposed to restart this program but it comes back with
[root@vpstream init.d]# service sshblack restart
(-): (-): No such file or directory

thank you for your help.

michael


0
Comment
Question by:ussher
  • 4
  • 4
8 Comments
 
LVL 16

Expert Comment

by:xDamox
Comment Utility
Hi,

I would suggest you try pam_abl, what distrobution are you using?
0
 
LVL 1

Author Comment

by:ussher
Comment Utility
redhat linux el3 it is a virtual server but unmanaged so i have to take care of security myself. i have rkhunter and logwatcher going which tell me i have hacking attempts now i want to block them.

Why is pam_abl better thatn sshblack?

I origionally wanted to use APF and BFD but could not  get  APF to work on my VPS because iptables needed to be reconfigured on the hardware node which would change all the VPS in my hosting companys server array so they suggested SSHBLACK.  

0
 
LVL 16

Expert Comment

by:xDamox
Comment Utility
Hi,

pam_abl can be configured with any services and its easy to configure, http://www.hexten.net/pam_abl/

0
 
LVL 1

Author Comment

by:ussher
Comment Utility
hi,  

OK i installed pam_abl  i think everything went ok, on make install there was one line that made me nervious "/bin/sh: line 1: cd: t: No such file or directory"

here is what i did:

pam_abl  pam_abl-0.2.3.tar.gz
[root@vpstream pam_abl]# make install
make: *** No rule to make target `install'.  Stop.
[root@vpstream pam_abl]# cd pam_abl
[root@vpstream pam_abl]# make install
cc -Wall -fPIC   -c -o pam_abl.o pam_abl.c
cc -Wall -fPIC   -c -o log.o log.c
cc -Wall -fPIC   -c -o config.o config.c
cc -Wall -fPIC   -c -o rule.o rule.c
ld -x --shared -ldb -lpthread -o pam_abl.so pam_abl.o log.o config.o rule.o
install --mode=755 --strip pam_abl.so /lib/security
#install --mode=644 conf/pam_abl.conf /etc/security
install -d --mode=755 /var/lib/abl
for d in t tools ; do cd $d && make install && cd .. ; done
/bin/sh: line 1: cd: t: No such file or directory
make[1]: Entering directory `/root/downloads/pam_abl/pam_abl/tools'
cc -Wall   -c -o log.o log.c
cc -Wall   -c -o config.o config.c
cc -Wall   -c -o rule.o rule.c
cc -Wall   -c -o pam_abl.o pam_abl.c
cc -ldb -lpthread -o pam_abl log.o config.o rule.o pam_abl.o
install --mode=755 --strip pam_abl /usr/bin
make[1]: Leaving directory `/root/downloads/pam_abl/pam_abl/tools'
[root@vpstream pam_abl]# cp conf/pam_abl.conf /etc/security
[root@vpstream pam_abl]# pico /etc/security/pam_abl.conf
[root@vpstream pam_abl]# cd /etc/security
[root@vpstream security]# ls
access.conf  chroot.conf  console.apps  console.perms  group.conf  limits.conf  pam_abl.conf  pam_env.conf  time.conf
[root@vpstream security]# pam_abl /etc/security/pam_abl.conf
Failed users:
Failed hosts:
[root@vpstream security]#


the instructions say to add some lines to the PAM config where is that file that im supposed to add these lines to?


Typically pam_abl.so is added to the auth stack as a required module just before whatever modules actually peform authentication. Here's a fragment of the PAM config for a production server that is running pam_abl:
auth      required      /lib/security/pam_env.so
auth      required      /lib/security/pam_abl.so config=/etc/security/pam_abl.conf
auth      sufficient      /lib/security/pam_unix.so likeauth nullok
auth      required      /lib/security/pam_deny.so


Thanks.

michael
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 16

Accepted Solution

by:
xDamox earned 250 total points
Comment Utility
Hi,

Open the /etc/pam.d/sshd and add the following line:

auth     required     /lib/security/pam_abl.so config=/etc/security/pam_abl.conf
0
 
LVL 1

Author Comment

by:ussher
Comment Utility
thanks very much

#%PAM-1.0
auth       required     pam_stack.so service=system-auth
auth       required     pam_nologin.so
account    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth
session    required     pam_limits.so
session    optional     pam_console.so
auth     required     /lib/security/pam_abl.so config=/etc/security/pam_abl.conf

so im good to go now?  thanks.

michael
0
 
LVL 16

Expert Comment

by:xDamox
Comment Utility
Yep,

When a failed attempt happends as root type:

pam_abl

and you will get something like this:

Failed users:
    nfsnobody (1)
        Not blocking
Failed hosts:
    202.107.202.66 (2)
        Not blocking
    202.110.122.167 (1)
        Not blocking
    211.95.72.125 (1)
        Not blocking
    incs-fo.b.astral.ro (1)
        Not blocking
    lxserv3.cs.denkosekka.ne.jp (1)
        Not blocking
0
 
LVL 1

Author Comment

by:ussher
Comment Utility
thanks
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

​Being a Managed Services Provider (MSP) has presented you  with challenges in the past— and by meeting those challenges you’ve reaped the rewards of success.  In 2014, challenges and rewards remain; but as the Internet and business environment evol…
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now