So, I've come to the conclusion that pam_abl on its own won't do what I want for blocking. Seems that I need to enlist the help of iptables to really drop connection attempts that I don't want hitting my box. In my mind, it's not simply good enough to "deny" access via pam_abl, as the attacker is still wasting bandwidth and potentially tying up ports and could deny services. So, I want the system to become deaf and dumb to that IP address for a period of time.
From what I can tell with the pam_abl (8) man page at http://pam-abl.deksai.com/docs/pam_abl.8.html, it appears that there's support for a 'host_blk_cmd' and a 'host_clr_cmd" which would seem ideal candidates for an iptables command to set up a drop rule for the ip address and then subsequently clear the same rule later on when things are cleared. I don't want to simply increase a block list, as there may be legitimate users that would be trying to come from a certain IP that could survive blockage for a period of hours, but not forever. I want to have the system become unresponsive so that the attacker simply gives up and moves on to something that WILL respond better (like other systems running just pam_abl without any iptables integration :P ) However, I'm not sure that the version of pam_abl in BlueOnyx supports the host_blk_cmd directive in the configuration file, since when I tried it, pam_abl wouldn't start, complaining about that particular line in the config file. So, does the version support this, and if not, are there any plans/possibilities that a newer version could be integrated so we can make use of the new functionality which seems to darn cool? Thanks much! -- Chad _______________________________________________ Blueonyx mailing list Blueonyx@mail.blueonyx.it http://mail.blueonyx.it/mailman/listinfo/blueonyx