YUM updates (feature update!)

Updates for BlueOnyx were released today and are now available through YUM. These updates add new features, too.

The following updates for BlueOnyx were released today and are now available through YUM:

==========
 Package  
==========

Updating:
 base-console-capstone
 base-console-glue
 base-console-locale-da_DK
 base-console-locale-de_DE
 base-console-locale-en
 base-console-locale-ja
 base-console-ui
 base-network-capstone
 base-network-glue
 base-network-locale-da_DK
 base-network-locale-de_DE
 base-network-locale-en
 base-network-locale-ja
 base-network-ui
 pam
 proftpd
 sausalito-cce-client
 sausalito-cce-server

Transaction Summary
============================
Install      0 Package(s)
Update      18 Package(s)
Remove       0 Package(s)

These package addresses the following issues:

base-console, pam and sausalito-cce-server:

Feature update: This updates accomplish a few things in one go. Most importantly it extends BlueOnyx with a basic (but effective) brute force password discovery attacks protection trough the implentation of pam_abl.

General explanation:

pam_abl provides auto blacklisting of hosts and (optionally!) users responsible for repeated failed authentication attempts. Brute force password discovery attacks involve repeated attempts to authenticate against a service using a dictionary of common passwords. While it is desirable to enforce strong passwords for users this is not always possible and in cases where a weak password has been used brute force attacks can be effective.

The pam_abl module monitors failed authentication attempts and automatically blacklists those hosts (and optionally also accounts) that are responsible for a configureable numbers of failed attempts. Once a host is blacklisted it is guaranteed to fail authentication even if the correct credentials are provided.

Blacklisting is triggered when the number of failed authentication attempts in a particular period of time exceeds a predefined limit. Hosts which stop attempting to authenticate will - after a period of time - be un-blacklisted automatically.

Detailed explanation:

Our implementation of pam_abl protects pretty much any network service that uses the pluggable authentication mechanism (PAM). On BlueOnyx that includes SSH, Telnet, FTP, SMTP-Auth, POP3, IMAP and so on. pam_abl records failed logins into a temporary database, which is purged periodically. During such purges old entries with no frequent activity are expired. If someone exceeds a certain (configurable) amount of failed logins, then anyone from the offending IP will be unable to authenticate - even if they try a valid username and password combination.

Please note: pam_abl is not a firewall. It just ties into the autentication mechanism that all services use and blocks on that level. So if you already have some brute force detection mechanism, then this update will not conflict with it.

The most visible aspects of this new update are the two new GUI pages under "Server Manegement" / "Security". They are called "Failed Logins" and "LoginManager".

"Login Manager" allows you to configure the settings of pam_abl. Like how long entries without recent activity remain in the database before they are purged from it. And more importantly: How many failed authentication attempts trigger a lock out of the offending host or (optionally) user. Generally you should only block hosts - this is the default.

The "Failed Logins" page shows a list of hosts that had failed password attempts. It also shows how many failed login attempts they had, if they are currently blocked, or if they (still - or again) are able to login. Like said:

Bans are temporary and expire after one hour of no further activity from that host.

That page also shows you a list of usernames that were used during the failed login attempts.

And of course the page allows you to reset all host and/or user bans.

Built in safeguards:

Of course any mechanism to restrict access to the server has the potentical to backfire. Users could lock themselves out because they repeatedly login with the wrong username and/or password. However, we set reasonable defaults, so this should be a rare event. Of course you can change the default values through the GUI, or could disable the automatic temporary blocking in general.

At the worst you could lock yourself out, too. So we built in a few safeguards which allow you to do something about that - even if you locked yourself out.

Safeguard #1: Regardless if pam_abl has your IP address blocked or not, you will always be able to login to the GUI interface with the servers admin account. From there you can use the buttons on the "Failed Logins" page to reset all blocks - or just the one involving your IP.

Safeguard #2: If the server is rebooted, the pam_abl database and all blocks are reset.

Safeguard #3: If you still have acces to the command line of the server (from another IP or from a "root" session that is still open), then simply run "/etc/init.d/pam_abl stop" to manually initiate a flush of the pam_abl database.

Command line usage:

The following new commands allow you to receive a bit more information about pam_abl on the command line:

/etc/init.d/pam_abl

Options: start|stop|status|purge

start or stop: Flush the databases, delete all blocks and erase the failed login history.

status: Shows detailed information about all recorded events - including date and time stamps.

purge: Allows to manually expire events from the database which are older than the defined record keeping settings.

/usr/bin/pam_abl

Command line tool of pam_abl. Run it with the -h switch to see all available options.

ProFTPd:

This update brings ProFTPd to the latest version. Additionally we had to modify the autehtication mechanisms of ProFTP a little to make it work with pam_abl. Unfortunately this breaks ProFTPd's built in support for authentication against LDAP or MySQL. But as those aren't used by default on BlueOnyx we considered that acceptable.

Our new ProFTPd also has the custom module mod_ban now compiled in by default.

The mod_ban module is designed to add dynamic "ban" lists to proftpd. A ban prevents the banned user, host, or class from logging in to the server; it does not prevent the banned user, host, or class from connecting to the server. mod_ban is not a firewall. The module also provides automatic bans that are triggered based on configurable criteria.

Beyond the protection that pam_abl already provides, mod_ban adds another layer of security that can be finely tuned.

To edit the mod_ban settings see /etc/proftpd.conf

Caveats:

This ProFTPd update is potentially troublesome, because we had to rewrite sections of /etc/proftpd.conf in order to make things happen.

The most straightforward way to do this was to simply replace the existing /etc/proftpd.conf with a new one and then simply add the required VirtualHost containers back with the help of the script /usr/sausalito/sbin/fixproftpd_conf.pl.

If you manually made any changes to your ProFTPd configuration, those will unfortunately get lost during the upgrade. However, a copy of your old proftpd.conf will be kept as /etc/proftpd.conf.pre-1.3.2a

base-network:

The GUI page from which you can configure your servers host- and domain name, DNS and network related settings had issues when you had more than two network cards.

These bugs then prevented you from saving the changes.

That problem has been fixed.