Related

Tool [NEW] Bandwidth Pricing Calculator Tool
Battle Field 4, in effect leasing a pretty awesome gaming system Question Question
Is possible to connect a DO K8s cluster with a DO Droplet private network? Question Question

Question

How to make sure some PAM module is NOT blocking my IP for ssh login failures?

Posted September 3, 2020 334 views
SecurityNetworkingFirewall

Hi,
I use pam_cracklib and pam google-authenticator in an ubuntu server. and many users log in from the same IP. But when someone makes some login failures for 8-10 times, the SSH gets blocked for a few minutes. All I can see in auth.log is a few PAM authentication failures… I don’t know what is blocking the SSH. But I don’t want that to happen for at least one IP since it causes problems for many users. Any idea on how to fix this?

Add a comment
NikhilV
By:
NikhilV

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
3 answers
NikhilV September 10, 2020

I was able to figure out the issue. It was OSSEC. I had an ossec-hids agent also installed in the server. The active-response feature in the ossec was blocking IP for ssh failures. It was fixed by adding the IP to be ignored inside <white_list>1.2.3.4</white_list> in a global block in ossec-manager ossec.conf. Thanks for all the helpful tips guys.

Reply Report
marks567217 September 3, 2020

PAM (Pluggable authentication modules) allows you to define flexible mechanism for authenticating users. My previous post demonstrated how to deny or allow users using sshd configuration option. However, if you want to block or deny a large number of users, use PAM configuration.

A note for new sys admins
Backup all data and PAM configuration files before any modification 🙂
Please be careful to perform the configuration option. Wrong configuration can lock down all login access including root access.
Read this Linux-PAM configuration file syntax guide
Now continue reading below for pamlistfile.so configration…
Use of pamlistfile.so module
This PAM module authenticates users based on the contents of a specified file. For example, if username exists in a file /etc/sshd/ssh.allow, sshd will grant login access.

Reply Report
Yannek September 4, 2020

Hi,
There is at least one PAM module which could cause the behavior you described. It is pam_faildelay, which allows you to set the delay on failure per-application. In that case delay value is specified in config file in /etc/pam.d/ directory. Delay is in microseconds. Of course, there may be another PAM modules with similar functionality, which I know nothing about. But it is quite likely that their delay values are being defined in configuration files too. However, their delay values may be in different units (seconds, milliseconds, etc.). So, to find them, try to look through contents of the config files using grep command searching for two or more digit strings.

sudo grep -rnwE "/etc/pam.d/" -e "[0-9]{2}"

You will get a list of files with numbered lines containing two or more digit strings.

Be aware, that the behavior you described may be caused by other utilities than PAM modules (e.g. SSHGuard, Fail2ban, DenyHosts), or even advanced firewall rules.

Reply Report
Submit an Answer

Related

Looking for something else?

Ask a new question Search for more help