Question
How to make sure some PAM module is NOT blocking my IP for ssh login failures?
- Posted September 3, 2020
- SecurityNetworkingFirewall
Hi, I use pam_cracklib and pam google-authenticator in an ubuntu server. and many users log in from the same IP. But when someone makes some login failures for 8-10 times, the SSH gets blocked for a few minutes. All I can see in auth.log is a few PAM authentication failures… I don’t know what is blocking the SSH. But I don’t want that to happen for at least one IP since it causes problems for many users. Any idea on how to fix this?
Subscribe
Share
Submit an answer
You can type!ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
Sign in to AnswerThese answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
I was able to figure out the issue. It was OSSEC. I had an ossec-hids agent also installed in the server. The active-response feature in the ossec was blocking IP for ssh failures. It was fixed by adding the IP to be ignored inside <white_list>1.2.3.4</white_list> in a global block in ossec-manager ossec.conf. Thanks for all the helpful tips guys.
Hi, There is at least one PAM module which could cause the behavior you described. It is
pam_faildelay, which allows you to set the delay on failure per-application. In that case delay value is specified in config file in/etc/pam.d/directory. Delay is in microseconds. Of course, there may be another PAM modules with similar functionality, which I know nothing about. But it is quite likely that their delay values are being defined in configuration files too. However, their delay values may be in different units (seconds, milliseconds, etc.). So, to find them, try to look through contents of the config files usinggrepcommand searching for two or more digit strings.You will get a list of files with numbered lines containing two or more digit strings.
Be aware, that the behavior you described may be caused by other utilities than PAM modules (e.g. SSHGuard, Fail2ban, DenyHosts), or even advanced firewall rules.
PAM (Pluggable authentication modules) allows you to define flexible mechanism for authenticating users. My previous post demonstrated how to deny or allow users using sshd configuration option. However, if you want to block or deny a large number of users, use PAM configuration.
A note for new sys admins Backup all data and PAM configuration files before any modification 🙂 Please be careful to perform the configuration option. Wrong configuration can lock down all login access including root access. Read this Linux-PAM configuration file syntax guide Now continue reading below for pam_listfile.so configration… Use of pam_listfile.so module This PAM module authenticates users based on the contents of a specified file. For example, if username exists in a file /etc/sshd/ssh.allow, sshd will grant login access.