March 26, 2007

Protect SSH from brute force attacks with pam_abl

Author: Anže Vidmar

Practically all Unix and Linux servers run an SSH service to let administrators connect securely from remote locations. Unfortunately for security administrators, attacks on SSH services are popular today. In this article I'll show you how can you protect machines running SSH services from brute force attacks using the pam_abl plugin for SSH pluggable authentication modules (PAM).

You can download and compile the pam_abl module yourself, or you can download and install a binary package from a repository. If you want to compile the module, download the source and look for information on how to compile it on the pam_abl homepage. If you want to implement pam_abl on your Ubuntu Dapper or Edgy server or desktop, add one of Roman Balitsky's custom repositories to your /etc/apt/sources.list file:

deb dapper main (for Dapper)
deb edgy main
(for Edgy)

After adding the installation source, update the source list, install pam_abl, and restart the SSH service:

sudo apt-get update
sudo apt-get install libpam-abl
sudo /etc/init.d/ssh restart

Next, you may want to tweak the pam_abl configuration file in /etc/security/pam_abl.conf:


Lines 2 and 5 show where the list of banned users and hosts are saved. The third and sixth lines set the purge times for bans; here, both the host-ban and user-ban rules will be purged in two days. On the fourth and seventh lines are host and user rules. Let's look at them in more details.

The syntax of the config file is like this:

host/user_rule=<host/user>:<number of tries>/<ban time>,<number of tries>/<ban time>

Thus our line 4 rule means ban all hosts (the asterisk) that entered wrong credentials three or more times in the last hour, or if the tries number is greater than 30 in the last day.

The line 7 user rules says ban any user except the user root (the "!root" directive) if the user's password fails three times in a one-hour period or if the number of failed retries is greater than 30 in a one-day period.

You can also define only selected users that you need to protect. Let's say that you want to protect only the users anze, dasa, kimzet, and madison. The config syntax should look like this:


This means that all four users -- anze, dasa, kimzet, and madison -- will be banned if their login failures reach 20 in a one-hour period.

For full list of options and triggers, see the pam_abl manual page.


To test your configuration, open a terminal on the target box and look at the /var/log/auth.log file. Try to log in to the server three times with the wrong password and see if the pam_abl plugin bans you. If it does, using the user madison as an example, the log file should look like this:

pam_abl[6248]: Blocking access from to service ssh, user madison

Now madison is blocked on the target machine and will not be able to log in for two days.

You can check the banned users and hosts at any time with pam_abl command:

~$ sudo pam_abl
Failed users:
madison (3)
Blocking users [!root]
Failed hosts: (3)
Blocking users [*]


There are many ways you can protect your machine from hackers, including changing the SSH listening port and defining which hosts are allowed to connect to your SSH service using iptables and TCP wrappers. Implementing the pam_abl module eliminates brute force attacks against your SSH server; just be careful that you configure the module so that an attacker cannot lock you out of your own box.


  • Security
Click Here!