How to make sure some PAM module is NOT blocking my IP for ssh login failures?

Posted September 3, 2020 1.1k views

I use pam_cracklib and pam google-authenticator in an ubuntu server. and many users log in from the same IP. But when someone makes some login failures for 8-10 times, the SSH gets blocked for a few minutes. All I can see in auth.log is a few PAM authentication failures… I don’t know what is blocking the SSH. But I don’t want that to happen for at least one IP since it causes problems for many users. Any idea on how to fix this?

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Submit an Answer
3 answers

I was able to figure out the issue. It was OSSEC. I had an ossec-hids agent also installed in the server. The active-response feature in the ossec was blocking IP for ssh failures. It was fixed by adding the IP to be ignored inside <white_list></white_list> in a global block in ossec-manager ossec.conf. Thanks for all the helpful tips guys.

PAM (Pluggable authentication modules) allows you to define flexible mechanism for authenticating users. My previous post demonstrated how to deny or allow users using sshd configuration option. However, if you want to block or deny a large number of users, use PAM configuration.

A note for new sys admins
Backup all data and PAM configuration files before any modification 🙂
Please be careful to perform the configuration option. Wrong configuration can lock down all login access including root access.
Read this Linux-PAM configuration file syntax guide
Now continue reading below for configration…
Use of pam module
This PAM module authenticates users based on the contents of a specified file. For example, if username exists in a file /etc/sshd/ssh.allow, sshd will grant login access.

There is at least one PAM module which could cause the behavior you described. It is pam_faildelay, which allows you to set the delay on failure per-application. In that case delay value is specified in config file in /etc/pam.d/ directory. Delay is in microseconds. Of course, there may be another PAM modules with similar functionality, which I know nothing about. But it is quite likely that their delay values are being defined in configuration files too. However, their delay values may be in different units (seconds, milliseconds, etc.). So, to find them, try to look through contents of the config files using grep command searching for two or more digit strings.

sudo grep -rnwE "/etc/pam.d/" -e "[0-9]{2}"

You will get a list of files with numbered lines containing two or more digit strings.

Be aware, that the behavior you described may be caused by other utilities than PAM modules (e.g. SSHGuard, Fail2ban, DenyHosts), or even advanced firewall rules.