The pam_abl provides auto blacklisting of hosts and users

responsible for repeated failed authentication attempts. WWW: http://www.hexten.net/pam_abl/ PR: ports/100635 Submitted by: Petr Rehor <prehor@gmail.com>
svn path=/head/; revision=171825
2024-12-26 05:02:18 +00:00 · 2006-09-01 18:34:03 +00:00 · 2006-09-01 18:34:03 +00:00 · bf663cc26b · 2021-03-31 03:12:20 +00:00
commit bf663cc26b
parent ecf737426d
17 changed files with 684 additions and 0 deletions
--- a/security/Makefile
+++ b/security/Makefile
@ -464,6 +464,7 @@
    SUBDIR += pad
    SUBDIR += pam-mysql
    SUBDIR += pam-pgsql
+    SUBDIR += pam_abl
    SUBDIR += pam_af
    SUBDIR += pam_alreadyloggedin
    SUBDIR += pam_authsrv
--- a/security/pam_abl/Makefile
+++ b/security/pam_abl/Makefile
@ -0,0 +1,73 @@
+# New ports collection makefile for:    pam_abl
+# Date created:				Nov 6 2005
+# Whom:					Petr Rehor <prehor@gmail.com>
+#
+# $FreeBSD$
+#
+
+PORTNAME=	pam_abl
+PORTVERSION=	0.2.3
+CATEGORIES=	security
+MASTER_SITES=	${MASTER_SITE_SOURCEFORGE}
+MASTER_SITE_SUBDIR=	${PORTNAME:S/_/-/}
+
+MAINTAINER=	prehor@gmail.com
+COMMENT=	Blacklisting responsible for repeated failed authentication attempts
+
+WRKSRC=		${WRKDIR}/${PORTNAME}
+
+PAMABLDB?=	/var/db/pam_abl
+
+USE_BDB=	42+
+
+SUB_FILES=	pkg-deinstall pkg-message pkg-plist pam_abl.8 190.clean-pam-abl
+SUB_LIST=	PAMABLDB=${PAMABLDB}
+
+PKGMESSAGE=	${WRKDIR}/pkg-message
+PKGDEINSTALL=	${WRKDIR}/pkg-deinstall
+PLIST=		${WRKDIR}/pkg-plist
+
+MAN8=		pam_abl.8
+
+.if !defined(NOPORTDOCS)
+PORTDOCS=	*
+.endif
+
+.include <bsd.port.pre.mk>
+
+.if ${PREFIX} == / || ${PREFIX} == /usr
+ETCPREFIX=
+.else
+ETCPREFIX=	${PREFIX}
+.endif
+SUB_LIST+=	ETCPREFIX=${ETCPREFIX}
+
+SED_SCRIPT=	-e 's|<db.h>|<${BDB_INCLUDE_DIR}/db.h>|' \
+		-e 's|-ldb|-l${BDB_LIB_NAME}|' \
+		-e 's|%%PREFIX%%|${PREFIX}|' \
+		-e 's|%%ETCPREFIX%%|${ETCPREFIX}|' \
+		-e 's|%%PAMABLDB%%|${PAMABLDB}|'
+
+post-patch:
+.for file in Makefile pam_abl.h conf/pam_abl.conf conf/system-auth doc/index.html doc/pam_abl.html tools/Makefile
+	@${REINPLACE_CMD} ${SED_SCRIPT} ${WRKSRC}/${file}
+.endfor
+
+pre-install:
+.if !defined(NOPORTDOCS)
+	@${MKDIR} ${DOCSDIR}
+.for file in AUTHORS COPYING Copyright NEWS README THANKS conf/system-auth doc/index.html doc/pam_abl.html doc/copying.html doc/style.css
+	${INSTALL_DATA} ${WRKSRC}/${file} ${DOCSDIR}
+.endfor
+.endif
+.if !defined(NO_INSTALL_MANPAGES)
+	@${MKDIR} ${MAN8PREFIX}/man/man8
+	${INSTALL_MAN} ${WRKDIR}/pam_abl.8 ${MAN8PREFIX}/man/man8/
+.endif
+	@${MKDIR} ${PREFIX}/etc/periodic/daily
+	${INSTALL_SCRIPT} ${WRKDIR}/190.clean-pam-abl ${PREFIX}/etc/periodic/daily/
+
+post-install:
+	@${CAT} ${PKGMESSAGE}
+
+.include <bsd.port.post.mk>
--- a/security/pam_abl/distinfo
+++ b/security/pam_abl/distinfo
@ -0,0 +1,3 @@
+MD5 (pam_abl-0.2.3.tar.gz) = fbcf97067e9647fa1d9257d4e6133cba
+SHA256 (pam_abl-0.2.3.tar.gz) = 9bb4059fba96f9846784d5e70bec72893630bdd70bc840be767cc33b83c6b163
+SIZE (pam_abl-0.2.3.tar.gz) = 19000
--- a/security/pam_abl/files/190.clean-pam-abl.in
+++ b/security/pam_abl/files/190.clean-pam-abl.in
@ -0,0 +1,25 @@
+#!/bin/sh
+#
+# $FreeBSD$
+#
+# Purge pam_abl databases according to purge rules in config.
+#
+
+# If there is a global system configuration file, suck it in.
+#
+if [ -r /etc/defaults/periodic.conf ]; then
+    . /etc/defaults/periodic.conf
+    source_periodic_confs
+fi
+
+case "$daily_clean_pam_abl_enable" in
+    [Yy][Ee][Ss])
+	echo ""
+	echo "Purging pam_abl databases:"
+
+	%%PREFIX%%/sbin/pam_abl -p -v ${daily_clean_pam_abl_config_file}
+	[ $? -ne 0 ] && rc=3 || rc=0;;
+    *)  rc=0;;
+esac
+
+exit $rc
--- a/security/pam_abl/files/pam_abl.8.in
+++ b/security/pam_abl/files/pam_abl.8.in
@ -0,0 +1,270 @@
+.\"
+.\" $FreeBSD$
+.\"
+.Dd January 14, 2006
+.Dt pam_abl 8
+.Os
+.Sh NAME
+.Nm pam_abl
+.Nd auto blacklist PAM module
+.Sh SYNOPSIS
+.Ss Auto Blacklist PAM module
+.Op Ar service-name
+.Ar module-name
+.Ar control-flag
+.Pa pam_abl
+.Op Ar options
+.Ss Blacklist maintenance tool
+.Nm
+.Op Fl h | Fl -help
+.Op Fl p | Fl -purge
+.Op Fl r | Fl -relative
+.Op Fl v | Fl -verbose
+.Op Fl -okhost Ns No = Ns Ar host
+.Op Fl -okuser Ns No = Ns Ar user
+.Op Ar config-file
+.Sh DESCRIPTION
+The Auto Blacklist module for PAM,
+.Nm
+provides functionality for only one PAM category: authentication.
+In terms of the
+.Ar module-type
+parameter, this is the
+.Dq Li auth
+feature.
+.Ss Auto Blacklist PAM Authentication Module
+.Nm
+provides auto blacklisting of hosts and users responsible for repeated
+failed authentication attempts. Generally configured so that blacklisted
+users still see normal login prompts but are guaranteed to fail to
+authenticate.  This functionality is only available to services which call
+PAM as root.  If
+.Nm
+is called for uid != 0 it will silently succeed.
+
+The following options may be passed to the authentication module:
+.Bl -tag -width indent
+.It Cm debug
+.Xr syslog 3
+debugging information at
+.Dv LOG_DEBUG
+level.
+.It Cm expose_account
+Ignored.
+.It Cm no_warn
+suppress warning messages to the user.
+These messages include reasons why the user's authentication attempt was
+declined.
+.It Cm try_first_pass
+Ignored.
+.It Cm use_first_pass
+Ignored.
+.It Cm use_mapped_pass
+Ignored.
+.It Cm config Ns No = Ns Ar config-file
+The configuration file contains additional arguments. In order for the
+.Nm
+blacklist maintenance tool to work correctly most of the configuration
+should be placed in the config file rather than being provided by arguments.
+The format of the config file is described below.
+.It Cm host_db Ns No = Ns Ar host-database-file
+Path to the Berkeley DB which is used to log the host responsible for failed
+authentication attempts.
+If host_db is omitted the corresponding auto blacklisting will be disabled.
+.It Cm host_purge Ns No = Ns Ar time
+Defines how long failed hosts are retained in the host database.
+Defaults to 1 day.
+.It Cm host_rule Ns No = Ns Ar host-rule
+The rule (see below for format) which defines the conditions under which a
+failed hosts will be blackisted.
+.It Cm user_db Ns No = Ns Ar user-database-file
+Path to the Berkeley DB which is used to log the user responsible for failed
+authentication attempts.
+If user_db is omitted the corresponding auto blacklisting will be disabled.
+.It Cm user_purge Ns No = Ns Ar time
+Defines how long failed users are retained in the user database.
+Defaults to 1 day.
+.It Cm user_rule Ns No = Ns Ar user-rule
+The rule (see below for format) which defines the conditions under which a
+failed users will be blackisted.
+.El
+.Ss Rules syntax
+.Cm host_rule No Cm user_rule
+are the rules which determine the circumstances under which accounts ares
+auto blacklisted.
+The
+.Cm host_rule
+is used to block access to hosts that are responsible for excessive
+authentication failures and the
+.Cm user_rule
+is used to disable accounts for which there have been excessive
+authentication failures.
+Each rule consists of a number of space separated
+.Sy user clauses Ns No .
+A
+.Sy user clause
+specifies the user names and services to match and a set of triggers.
+A simple example would be:
+.Bd -literal -offset indent
+*:10/1h
+.Ed
+.Pp
+which means 'block any user (*) if they are responsible for ten or more
+failed authentication attempts in the last hour'.
+In place of the '*' which matches any user a list of usernames can be
+supplied like this:
+.Bd -literal -offset indent
+root|dba|admin:10/1h
+.Ed
+.Pp
+which means 'block the users root, dba and admin if they are responsible
+for ten or more failed authentication attempts in the last hour'.
+You can also specify a service name to match against like this:
+.Bd -literal -offset indent
+root/sshd|dba/*:3/1d
+.Ed
+.Pp
+which means 'block the users root for service sshd and user dba for any
+service if they are responsible for three or more failed authentication
+attempts in the last day'.
+Finally you can specify multiple triggers like this:
+.Bd -literal -offset indent
+root:10/1h,20/1d
+.Ed
+.Pp
+which means 'block the user root if they are responsible for ten or more
+failed attempts in the last hour or twenty or more failed attempts in the
+last day.
+.Pp
+Multiple rules can be provided separated by spaces like this:
+.Bd -literal -offset indent
+*:10/1h root:5/1h,10/1d
+.Ed
+.Pp
+in which case all rules that match a particular user and service will be
+checked.
+The user or host will be blocked if any of the rule triggers matches.
+.Pp
+The sense of the user matching can be inverted by placing a '!' in front
+of the rule so that:
+.Bd -literal -offset indent
+!root:20/1d
+.Ed
+.Pp
+is a rule which would match for all users apart from root.
+.Pp
+It is important to treat root as a special case in the
+.Cm user_rule
+otherwise excessive attempts to authenticate as root will result in the
+root account being locked out even for valid holders of root credentials.
+.Pp
+Here is the full syntax for rules:
+.Bd -literal -offset indent
+word ::= /[^\\s\\|\\/\\*]+/
+name ::= word | '*'
+username ::= name
+servicename ::= name
+userservice ::= username | username '/' servicename
+namelist ::= userservice | userservice '|' namelist
+userspec ::= namelist | '!' namelist
+multiplier ::= 's' | 'm' | 'h' | 'd'
+number ::= /\d+/
+period ::= number | number multiplier
+trigger ::= number '/' period
+triglist ::= trigger | trigger ',' triglist
+userclause ::= userspec ':' triglist
+rule ::= userclause | userclause /\s+/ rule
+.Ed
+.Pp
+For rules to work correctly
+.Cm host_purge No and Cm user_purge 
+must be at least as long as the longest period specified in a corresponding
+rule.
+You may wish to retain information about failed attempts for longer than
+this so that the 
+.Nm
+blacklist maintenance tool can report information over a longer period of
+time.
+The format for this items is a number with an optional multiplier suffix,
+'s', 'm', 'h' or 'd' which correspond with seconds, minutes, hours and days.
+To specify seven days for example one would use '7d'.
+Note that in normal operation
+.Nm
+PAM module will only purge the logged data for a particular host or user
+if it happens to be updating it, i.e. if that host or user makes another
+failed attempt.
+To purge all old entries the 
+.Nm
+blacklist maintenance tool should be used.
+.Ss Blacklist maintenance tool
+Blacklist maintenance tool
+.Nm
+perform maintenance on the databases used by the
+.Nm
+PAM module.
+The options are as follows:
+.Bl -tag -width indent
+.It Fl h | Fl -help
+Print help page and exit.
+.It Fl p | Fl -purge
+Purge databases according to purge rules in config.
+.It Fl r | Fl -relative
+Display times relative to now otherwise absolute times will be displayed.
+.It Fl v | Fl -verbose
+Verbose output.
+.It Fl -okhost Ns No = Ns Ar host-name
+Unblock host.
+.It Fl -okuser Ns No = Ns Ar user-name
+Unblock user.
+.It Ar config-file
+Name of the
+.Nm
+configuration file (default: %%ETCPREFIX%%/etc/pam_abl.conf).
+The config file is read to discover the names of the
+.Nm
+databases and the rules that control purging of old data from them.
+.El
+.Sh EXAMPLES
+.Ss Auto Blacklist PAM module
+Typically
+.Nm
+PAM module is added to the auth stack as a required module just before
+whatever modules actually peform authentication.
+Here's a fragment of the PAM config:
+.Bd -literal -offset indent
+auth required   pam_env
+auth required   pam_abl  config=%%ETCPREFIX%%/etc/pam_abl.conf
+auth sufficient pam_unix likeauth nullok
+auth required   pam_deny
+.Ed
+.Ss Blacklist maintenance tool
+Obtain a list of failed hosts and users:
+.Bd -literal -offset indent
+$ pam_abl
+.Ed
+.Pp
+Obtain a full list of failures listing times relative to now:
+.Bd -literal -offset indent
+$ pam_abl -rv
+.Ed
+.Pp
+Purge old data:
+.Bd -literal -offset indent
+$ pam_abl -p
+.Ed
+.Pp
+Unblock all example.com hosts and all users:
+.Bd -literal -offset indent
+$ pam_abl -v --okhost='*.example.com' --okuser='*'
+.Ed
+.Sh SEE ALSO
+.Xr pam.conf 5 ,
+.Xr pam 8
+.Bd -literal
+http://www.hexten.net/pam_abl/
+http://sourceforge.net/project/showfiles.php?group_id=148927
+.Ed
+.Sh AUTHORS
+Written by Andy Armstrong <andy@hexten.net>.
+.Sh BUGS
+Report bugs to Andy Armstrong <andy@hexten.net>.
--- a/security/pam_abl/files/patch-Makefile
+++ b/security/pam_abl/files/patch-Makefile
@ -0,0 +1,42 @@
+--- Makefile.orig	Wed Oct 12 21:22:25 2005
+++ Makefile	Sun Dec 11 00:29:31 2005
+@@ -1,11 +1,11 @@
+ # Makefile
+ # $Id: Makefile,v 1.1.1.1 2005/10/12 19:22:25 tagishandy Exp $
+ 
+-CFLAGS=-Wall -fPIC
+-PAMDIR=/lib/security
+-CONFDIR=/etc/security
+-DBDIR=/var/lib/abl
+-LIBS=-ldb -lpthread
+CFLAGS=-Wall -fPIC -I/usr/local/include
+PAMDIR=%%PREFIX%%/lib
+CONFDIR=%%ETCPREFIX%%/etc
+DBDIR=%%PAMABLDB%%
+LIBS=-L/usr/local/lib -ldb -lpthread
+ MODULE=pam_abl.so
+ OBJ=pam_abl.o log.o config.o rule.o
+ SUBDIRS=tools
+@@ -14,17 +14,17 @@
+ 	for d in $(SUBDIRS) ; do cd $$d && make $@ && cd .. ; done
+ 
+ $(MODULE) : $(OBJ)
+-	ld -x --shared $(LIBS) -o $@ $^
+	ld -x --shared $(LIBS) -o $(MODULE) $(OBJ)
+ 
+ clean :
+ 	rm -f $(MODULE) $(OBJ)
+ 	for d in $(SUBDIRS) ; do cd $$d && make $@ && cd .. ; done
+ 
+ install : $(MODULE)
+-	install --mode=755 --strip $(MODULE) $(PAMDIR)
+-	#install --mode=644 conf/pam_abl.conf $(CONFDIR)
+-	install -d --mode=755 $(DBDIR)
+-	for d in t $(SUBDIRS) ; do cd $$d && make $@ && cd .. ; done
+	install -m 755 -s $(MODULE) $(PAMDIR)
+	install -m 644 conf/pam_abl.conf $(CONFDIR)/pam_abl.conf.sample
+	install -d -m 755 $(DBDIR)
+	for d in $(SUBDIRS) ; do cd $$d && make $@ && cd .. ; done
+ 
+ depend :
+ 	cc -MM *.c > deps
--- a/security/pam_abl/files/patch-conf-pam_abl.conf
+++ b/security/pam_abl/files/patch-conf-pam_abl.conf
@ -0,0 +1,14 @@
+--- conf/pam_abl.conf.orig	Sat Dec 10 23:27:33 2005
+++ conf/pam_abl.conf	Sun Dec 11 00:07:41 2005
+@@ -1,8 +1,8 @@
+-# /etc/security/pam_abl.conf
+# %%ETCPREFIX%%/etc/pam_abl.conf
+ # debug
+-host_db=/var/lib/abl/hosts.db
+host_db=%%PAMABLDB%%/hosts.db
+ host_purge=2d
+ host_rule=*:10/1h,30/1d
+-user_db=/var/lib/abl/users.db
+user_db=%%PAMABLDB%%/users.db
+ user_purge=2d
+ user_rule=!root:10/1h,30/1d
--- a/security/pam_abl/files/patch-conf-system-auth
+++ b/security/pam_abl/files/patch-conf-system-auth
@ -0,0 +1,39 @@
+--- conf/system-auth.orig	Wed Oct 12 21:22:27 2005
+++ conf/system-auth	Sat Jan 14 22:37:20 2006
+@@ -1,15 +1,24 @@
+-#%PAM-1.0
+-auth        required      /lib/security/$ISA/pam_env.so
+-auth        required      /lib/security/$ISA/pam_abl.so config=/etc/security/pam_abl.conf
+-auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
+-auth        required      /lib/security/$ISA/pam_deny.so
+#
+# System-wide defaults
+#
+ 
+-account     required      /lib/security/$ISA/pam_unix.so
+# auth
+auth		required	%%PREFIX%%/lib/pam_abl.so config=%%ETCPREFIX%%/etc/pam_abl.conf
+auth		sufficient	pam_opie.so		no_warn no_fake_prompts
+auth		requisite	pam_opieaccess.so	no_warn allow_local
+#auth		sufficient	pam_krb5.so		no_warn try_first_pass
+#auth		sufficient	pam_ssh.so		no_warn try_first_pass
+auth		required	pam_unix.so		no_warn try_first_pass nullok
+ 
+-password    required      /lib/security/$ISA/pam_cracklib.so retry=3 type=
+-password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
+-password    required      /lib/security/$ISA/pam_deny.so
+# account
+#account 	required	pam_krb5.so
+account		required	pam_login_access.so
+account		required	pam_unix.so
+ 
+-session     required      /lib/security/$ISA/pam_limits.so
+-session     required      /lib/security/$ISA/pam_abl.so
+-session     required      /lib/security/$ISA/pam_unix.so
+# session
+#session 	optional	pam_ssh.so
+session		required	pam_lastlog.so		no_fail
+
+# password
+#password	sufficient	pam_krb5.so		no_warn try_first_pass
+password	required	pam_unix.so		no_warn try_first_pass
--- a/security/pam_abl/files/patch-doc-index.html
+++ b/security/pam_abl/files/patch-doc-index.html
@ -0,0 +1,75 @@
+--- doc/index.html.orig	Wed Oct 12 21:22:27 2005
+++ doc/index.html	Sat Jan 14 22:48:16 2006
+@@ -44,7 +44,7 @@
+ 			<dd>Requires <a href="http://www.sleepycat.com/products/db.shtml">Berkeley DB</a>
+ 			(tested with 4.3.21 and 4.2.50).<br />
+ 
+-			Requires a configuration file (by convention /etc/security/pam_abl.conf)</dd>
+			Requires a configuration file (by convention %%ETCPREFIX%%/etc/pam_abl.conf)</dd>
+ 
+ 			<dt>Network aware:</dt>
+ 
+@@ -171,28 +171,26 @@
+ 				<p>Typically pam_abl.so is added to the auth stack as a required module just before whatever modules actually peform authentication. Here's a fragment of the PAM config for a production server that is running pam_abl:</p>
+ 
+ 				<table class="config">
+-					<tr><td>auth</td><td>required</td><td>/lib/security/pam_env.so</td></tr>
+-					<tr><td>auth</td><td>required</td><td>/lib/security/pam_abl.so config=/etc/security/pam_abl.conf</td></tr>
+-					<tr><td>auth</td><td>sufficient</td><td>/lib/security/pam_unix.so likeauth nullok</td></tr>
+-					<tr><td>auth</td><td>required</td><td>/lib/security/pam_deny.so</td></tr>
+					<tr><td>auth</td><td>required</td><td>%%PREFIX%%/lib/pam_abl.so config=%%ETCPREFIX%%/etc/pam_abl.conf</td></tr>
+					<tr><td>auth</td><td>required</td><td>pam_unix.so no_warn try_first_pass nullok</td></tr>
+ 				</table>
+ 
+-				<p>Although all of accepted arguments can be supplied here they will usually be placed in a separate config file and linked to using the config argument as in the above example. The <a href="pam_abl.html">pam_abl command line tool</a> reads the external config file (/etc/security/pam_abl.conf in this case) to find the databases so in order for it work correctly an external config should be used.</p>
+				<p>Although all of accepted arguments can be supplied here they will usually be placed in a separate config file and linked to using the config argument as in the above example. The <a href="pam_abl.html">pam_abl command line tool</a> reads the external config file (%%ETCPREFIX%%/etc/pam_abl.conf in this case) to find the databases so in order for it work correctly an external config should be used.</p>
+ 
+ 			</dd>
+ 
+ 			<dt>Config file syntax:</dt>
+ 
+ 			<dd>
+-				<p>The config file can contain any arguments that would be supplied via PAM config. In the config file arguments are placed on separate lines. Comments may be included after a '#' and line continuation is possible by placing a back slash at the end of the line to be continued. Here is a sample /etc/security/pam_abl.conf:</p>
+				<p>The config file can contain any arguments that would be supplied via PAM config. In the config file arguments are placed on separate lines. Comments may be included after a '#' and line continuation is possible by placing a back slash at the end of the line to be continued. Here is a sample %%ETCPREFIX%%/etc/pam_abl.conf:</p>
+ 
+ 				<table class="config">
+-					<tr><td># /etc/security/pam_abl.conf</td></tr>
+					<tr><td># %%ETCPREFIX%%/etc/pam_abl.conf</td></tr>
+ 					<tr><td>debug</td></tr>
+-					<tr><td>host_db=/var/lib/abl/hosts.db</td></tr>
+					<tr><td>host_db=%%PAMABLDB%%/hosts.db</td></tr>
+ 					<tr><td>host_purge=2d</td></tr>
+ 					<tr><td>host_rule=*:10/1h,30/1d</td></tr>
+-					<tr><td>user_db=/var/lib/abl/users.db</td></tr>
+					<tr><td>user_db=%%PAMABLDB%%/users.db</td></tr>
+ 					<tr><td>user_purge=2d</td></tr>
+ 					<tr><td>user_rule=!root:10/1h,30/1d</td></tr>
+ 				</table>
+@@ -282,21 +280,19 @@
+ 				<p>Sample PAM config fragment:</p>
+ 
+ 				<table class="config">
+-					<tr><td>auth</td><td>required</td><td>/lib/security/pam_env.so</td></tr>
+-					<tr><td>auth</td><td>required</td><td>/lib/security/pam_abl.so config=/etc/security/pam_abl.conf</td></tr>
+-					<tr><td>auth</td><td>sufficient</td><td>/lib/security/pam_unix.so likeauth nullok</td></tr>
+-					<tr><td>auth</td><td>required</td><td>/lib/security/pam_deny.so</td></tr>
+					<tr><td>auth</td><td>required</td><td>%%PREFIX%%/lib/pam_abl.so %%ETCPREFIX%%/etc/pam_abl.conf</td></tr>
+					<tr><td>auth</td><td>required</td><td>pam_unix.so no_warn try_first_pass nullok</td></tr>
+ 				</table>
+ 
+-				<p>Sample /etc/security/pam_abl.conf:</p>
+				<p>Sample %%ETCPREFIX%%/etc/pam_abl.conf:</p>
+ 
+ 				<table class="config">
+-					<tr><td># /etc/security/pam_abl.conf</td></tr>
+					<tr><td># %%ETCPREFIX%%/etc/pam_abl.conf</td></tr>
+ 					<tr><td>debug</td></tr>
+-					<tr><td>host_db=/var/lib/abl/hosts.db</td></tr>
+					<tr><td>host_db=%%PAMABLDB%%/hosts.db</td></tr>
+ 					<tr><td>host_purge=2d</td></tr>
+ 					<tr><td>host_rule=*:10/1h,30/1d</td></tr>
+-					<tr><td>user_db=/var/lib/abl/users.db</td></tr>
+					<tr><td>user_db=%%PAMABLDB%%/users.db</td></tr>
+ 					<tr><td>user_purge=2d</td></tr>
+ 					<tr><td>user_rule=!root:10/1h,30/1d</td></tr>
+ 				</table>
--- a/security/pam_abl/files/patch-doc-pam_abl.html
+++ b/security/pam_abl/files/patch-doc-pam_abl.html
@ -0,0 +1,11 @@
+--- doc/pam_abl.html.orig	Wed Oct 12 21:22:27 2005
+++ doc/pam_abl.html	Sat Jan 14 23:00:43 2006
+@@ -15,7 +15,7 @@
+         <dd>pam_abl [OPTION] [CONFIG]</dd>
+         <dt>DESCRIPTION</dt>
+         <dd>
+-            <p>Perform maintenance on the databases used by the pam_abl (auto blacklist) module. CONFIG is the name of the pam_abl config file (default: /etc/security/pam_abl.conf). The config file is read to discover the names of the pam_abl databases and the rules that control purging of old data from them. The following options are available</p>
+            <p>Perform maintenance on the databases used by the pam_abl (auto blacklist) module. CONFIG is the name of the pam_abl config file (default: %%ETCPREFIX%%/etc/pam_abl.conf). The config file is read to discover the names of the pam_abl databases and the rules that control purging of old data from them. The following options are available</p>
+             <table>
+                 <tr>
+                     <td>-h, --help</td>
--- a/security/pam_abl/files/patch-pam_abl.c
+++ b/security/pam_abl/files/patch-pam_abl.c
@ -0,0 +1,24 @@
+--- pam_abl.c.orig	Wed Oct 12 21:22:26 2005
+++ pam_abl.c	Sat Jan 14 21:39:41 2006
+@@ -344,7 +344,7 @@
+         abl_args *args = data;
+         log_debug(args, "In cleanup, err is %08x", err);
+ 
+-        if (err && (err & PAM_DATA_REPLACE) == 0) {
+        if (err == PAM_AUTH_ERR) {
+             record_attempt(args);
+         }
+         config_free(args);
+@@ -359,6 +359,12 @@
+     int err = PAM_SUCCESS;
+ 
+     /*log_debug(NULL, "pam_sm_authenticate(), flags=%08x", flags);*/
+
+    if (err = pam_get_data(pamh, DATA_NAME, &args), PAM_SUCCESS == err) {
+        record_attempt(args);
+    } else if (PAM_NO_MODULE_DATA != err) {
+       return err;
+    }
+ 
+     if (args = malloc(sizeof(abl_args)), NULL == args) {
+         return PAM_BUF_ERR;
--- a/security/pam_abl/files/patch-pam_abl.h
+++ b/security/pam_abl/files/patch-pam_abl.h
@ -0,0 +1,19 @@
+--- pam_abl.h.orig	Wed Oct 12 21:22:27 2005
+++ pam_abl.h	Sat Jan 14 19:25:44 2006
+@@ -51,6 +51,7 @@
+ #define __PAM_ABL_H
+ 
+ #include <security/pam_modules.h>
+#include <security/pam_appl.h>
+ #include <db.h>
+ 
+ #include <ctype.h>
+@@ -74,7 +75,7 @@
+ /* User purge time in seconds */
+ #define USER_PURGE  (HOURSECS * 24)
+ 
+-#define CONFIG "/etc/security/pam_abl.conf"
+#define CONFIG "%%ETCPREFIX%%/etc/pam_abl.conf"
+ 
+ typedef struct abl_string {
+     struct abl_string *link;
--- a/security/pam_abl/files/patch-tools-Makefile
+++ b/security/pam_abl/files/patch-tools-Makefile
@ -0,0 +1,26 @@
+--- tools/Makefile.orig	Wed Oct 12 21:22:27 2005
+++ tools/Makefile	Sun Dec 11 00:22:30 2005
+@@ -1,18 +1,18 @@
+ # Makefile
+ 
+-CFLAGS=-Wall
+-LIBS=-ldb -lpthread
+CFLAGS=-Wall -I/usr/local/include
+LIBS=-L/usr/local/lib -ldb -lpthread
+ TARGET=pam_abl
+ OBJ=log.o config.o rule.o pam_abl.o
+-INSTDIR=/usr/bin
+INSTDIR=%%PREFIX%%/sbin
+ 
+ all : $(TARGET)
+ 
+ $(TARGET) : $(OBJ)
+-	cc $(LIBS) -o $@ $^
+	cc $(LIBS) -o $(TARGET) $(OBJ)
+ 
+ install : $(TARGET)
+-	install --mode=755 --strip $(TARGET) $(INSTDIR)
+	install -m 755 -s $(TARGET) $(INSTDIR)
+ 
+ clean :
+ 	rm -f $(TARGET) $(OBJ)
--- a/security/pam_abl/files/pkg-deinstall.in
+++ b/security/pam_abl/files/pkg-deinstall.in
@ -0,0 +1,38 @@
+#!/bin/sh
+#
+# $FreeBSD$
+#
+
+PATH=/bin:/usr/bin:/usr/sbin
+
+case $2 in
+DEINSTALL)
+	cd ${PKG_PREFIX}/etc || exit 1
+	cmp -s -z pam_abl.conf pam_abl.conf.sample && rm pam_abl.conf
+	rmdir %%PAMABLDB%% 2>/dev/null
+	;;
+POST-DEINSTALL)
+	pam_files="$(grep -lR '^[^#]*pam_abl\.so' /etc/pam.d ${PKG_PREFIX}/etc/pam.d)"
+	echo "===> post-deinstallation information for $1:"
+	if [ -n "${pam_files}" ]; then
+		echo ""
+		echo "     Warning: pam_able remain used for this services:"
+		for pam_file in ${pam_files}; do
+			echo "	${pam_file}"
+		done
+	fi
+	if [ -e ${PKG_PREFIX}/etc/pam_abl.conf -o -d %%PAMABLDB%% ]; then
+		echo ""
+		echo "     To ease updates, the database directory and configuration"
+		echo "     file modified by you were preserved."
+		echo ""
+		echo "     Please remove them manually if you do not want to use"
+		echo "     pam_abl any longer."
+	fi
+	echo ""
+	;;
+*)
+	exit 64
+	;;
+esac
+exit 0
--- a/security/pam_abl/files/pkg-message.in
+++ b/security/pam_abl/files/pkg-message.in
@ -0,0 +1,12 @@
+*****************************************************************************
+
+Read files in %%DOCSDIR%% for info on how to set up.
+
+*****************************************************************************
+
+To automatically purge pam_abl databases according to purge rules in config
+add to your /etc/periodic.conf this line:
+
+  daily_clean_pam_abl_enable="YES"
+
+*****************************************************************************
--- a/security/pam_abl/files/pkg-plist.in
+++ b/security/pam_abl/files/pkg-plist.in
@ -0,0 +1,8 @@
+@comment $FreeBSD$
+etc/pam_abl.conf.sample
+etc/periodic/daily/190.clean-pam-abl
+lib/pam_abl.so
+sbin/pam_abl
+@exec mkdir -p %%PAMABLDB%%
+@dirrmtry etc/periodic/daily
+@dirrmtry etc/periodic
--- a/security/pam_abl/pkg-descr
+++ b/security/pam_abl/pkg-descr
@ -0,0 +1,4 @@
+The pam_abl provides auto blacklisting of hosts and users
+responsible for repeated failed authentication attempts.
+
+WWW: http://www.hexten.net/pam_abl/