?
Solved

configure sshblack installation settings

Posted on 2006-06-30
8
Medium Priority
?
540 Views
Last Modified: 2012-06-22
Hi,

Im trying to set up sshblack (http://www.pettingers.org/code/sshblack.html) which is an automatic blacklisting program to stop hackers.  My knowledge of linux is pretty limited and i suspect that the answer is obvious.

I have sshblack up and running but when trying to complete the howto from (ttp://wiki.oss-watch.ac.uk/InstallingSshblack) i have got to the point where the perl script  on thier site has been copied and all the correct paths set. the following instructions are:

[root@luggage sshblack]# cp sshblack /etc/init.d
[root@luggage sshblack]# ls -al /etc/init.d/sshblack
-rwxr-xr-x  1 root root 1863 Dec 11 15:03 /etc/init.d/sshblack
[root@luggage sshblack]# chkconfig --add sshblack
[root@luggage sshblack]# chkconfig --list sshblack
sshblack        0:off   1:off   2:on    3:on    4:on    5:on    6:off

on my server:
[root@vpstream init.d]# ls -al /etc/init.d/sshblack
-rw-r--r--    1 root     root         2893 Jul  1 13:07 /etc/init.d/sshblack
so i chmod to 755  and made it the same as their example

the problem i want answered is on my server  2:off is set to off.
[root@vpstream init.d]# chkconfig --list sshblack
sshblack        0:off   1:off   2:off   3:on    4:on    5:on    6:off

I would like to know how to turn this on. (i suspect it is as simple and obvious as the chmod which wasnt included in the instructions)

And also:
service sshblack restart
is supposed to restart this program but it comes back with
[root@vpstream init.d]# service sshblack restart
(-): (-): No such file or directory

thank you for your help.

michael


0
Comment
Question by:ussher
  • 4
  • 4
8 Comments
 
LVL 16

Expert Comment

by:xDamox
ID: 17030056
Hi,

I would suggest you try pam_abl, what distrobution are you using?
0
 
LVL 1

Author Comment

by:ussher
ID: 17034647
redhat linux el3 it is a virtual server but unmanaged so i have to take care of security myself. i have rkhunter and logwatcher going which tell me i have hacking attempts now i want to block them.

Why is pam_abl better thatn sshblack?

I origionally wanted to use APF and BFD but could not  get  APF to work on my VPS because iptables needed to be reconfigured on the hardware node which would change all the VPS in my hosting companys server array so they suggested SSHBLACK.  

0
 
LVL 16

Expert Comment

by:xDamox
ID: 17035152
Hi,

pam_abl can be configured with any services and its easy to configure, http://www.hexten.net/pam_abl/

0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
LVL 1

Author Comment

by:ussher
ID: 17035515
hi,  

OK i installed pam_abl  i think everything went ok, on make install there was one line that made me nervious "/bin/sh: line 1: cd: t: No such file or directory"

here is what i did:

pam_abl  pam_abl-0.2.3.tar.gz
[root@vpstream pam_abl]# make install
make: *** No rule to make target `install'.  Stop.
[root@vpstream pam_abl]# cd pam_abl
[root@vpstream pam_abl]# make install
cc -Wall -fPIC   -c -o pam_abl.o pam_abl.c
cc -Wall -fPIC   -c -o log.o log.c
cc -Wall -fPIC   -c -o config.o config.c
cc -Wall -fPIC   -c -o rule.o rule.c
ld -x --shared -ldb -lpthread -o pam_abl.so pam_abl.o log.o config.o rule.o
install --mode=755 --strip pam_abl.so /lib/security
#install --mode=644 conf/pam_abl.conf /etc/security
install -d --mode=755 /var/lib/abl
for d in t tools ; do cd $d && make install && cd .. ; done
/bin/sh: line 1: cd: t: No such file or directory
make[1]: Entering directory `/root/downloads/pam_abl/pam_abl/tools'
cc -Wall   -c -o log.o log.c
cc -Wall   -c -o config.o config.c
cc -Wall   -c -o rule.o rule.c
cc -Wall   -c -o pam_abl.o pam_abl.c
cc -ldb -lpthread -o pam_abl log.o config.o rule.o pam_abl.o
install --mode=755 --strip pam_abl /usr/bin
make[1]: Leaving directory `/root/downloads/pam_abl/pam_abl/tools'
[root@vpstream pam_abl]# cp conf/pam_abl.conf /etc/security
[root@vpstream pam_abl]# pico /etc/security/pam_abl.conf
[root@vpstream pam_abl]# cd /etc/security
[root@vpstream security]# ls
access.conf  chroot.conf  console.apps  console.perms  group.conf  limits.conf  pam_abl.conf  pam_env.conf  time.conf
[root@vpstream security]# pam_abl /etc/security/pam_abl.conf
Failed users:
Failed hosts:
[root@vpstream security]#


the instructions say to add some lines to the PAM config where is that file that im supposed to add these lines to?


Typically pam_abl.so is added to the auth stack as a required module just before whatever modules actually peform authentication. Here's a fragment of the PAM config for a production server that is running pam_abl:
auth      required      /lib/security/pam_env.so
auth      required      /lib/security/pam_abl.so config=/etc/security/pam_abl.conf
auth      sufficient      /lib/security/pam_unix.so likeauth nullok
auth      required      /lib/security/pam_deny.so


Thanks.

michael
0
 
LVL 16

Accepted Solution

by:
xDamox earned 750 total points
ID: 17035613
Hi,

Open the /etc/pam.d/sshd and add the following line:

auth     required     /lib/security/pam_abl.so config=/etc/security/pam_abl.conf
0
 
LVL 1

Author Comment

by:ussher
ID: 17035739
thanks very much

#%PAM-1.0
auth       required     pam_stack.so service=system-auth
auth       required     pam_nologin.so
account    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth
session    required     pam_limits.so
session    optional     pam_console.so
auth     required     /lib/security/pam_abl.so config=/etc/security/pam_abl.conf

so im good to go now?  thanks.

michael
0
 
LVL 16

Expert Comment

by:xDamox
ID: 17035791
Yep,

When a failed attempt happends as root type:

pam_abl

and you will get something like this:

Failed users:
    nfsnobody (1)
        Not blocking
Failed hosts:
    202.107.202.66 (2)
        Not blocking
    202.110.122.167 (1)
        Not blocking
    211.95.72.125 (1)
        Not blocking
    incs-fo.b.astral.ro (1)
        Not blocking
    lxserv3.cs.denkosekka.ne.jp (1)
        Not blocking
0
 
LVL 1

Author Comment

by:ussher
ID: 17035823
thanks
0

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
Integration Management Part 2
Screencast - Getting to Know the Pipeline
Suggested Courses

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question