[packages/pam-pam_shield] new, version 0.9.5

glen glen at pld-linux.org
Wed Mar 13 14:08:32 CET 2013


commit ad55c38f6b03104ed965012b3c5b4941b1e35e7c
Author: Elan Ruusamäe <glen at delfi.ee>
Date:   Wed Mar 13 15:07:51 2013 +0200

    new, version 0.9.5
    
    based on fedora package
    b7b5f597c0e7a40447682bd43358738ddb2dec17

 pam-pam_shield.spec           | 93 +++++++++++++++++++++++++++++++++++++++++++
 shield-trigger-iptables.patch | 38 ++++++++++++++++++
 shield_purge_segfault.patch   | 10 +++++
 3 files changed, 141 insertions(+)
---
diff --git a/pam-pam_shield.spec b/pam-pam_shield.spec
new file mode 100644
index 0000000..1b8e00a
--- /dev/null
+++ b/pam-pam_shield.spec
@@ -0,0 +1,93 @@
+# TODO
+# - no idea about selinux stuff in scriptlets. enable if tested and working
+%define		modulename	pam_shield
+Summary:	Pam Shield - A pam module to counter brute force attacks
+Name:		pam-%{modulename}
+Version:	0.9.5
+Release:	0.1
+License:	GPL v2
+Group:		Libraries
+URL:		http://www.heiho.net/pam_shield/index.html
+Source0:	http://www.heiho.net/pam_shield/pam_shield-%{version}.tar.gz
+# Source0-md5:	cbfcd96fad38943ed78fd4d37307aba2
+Source1:	shield-trigger.8.gz
+# Source1-md5:	df589554cb2a80dca43793e127090a0b
+Source2:	shield-purge.8.gz
+# Source2-md5:	88ba04e0a41db33d386b723358cc76b0
+Source3:	shield-trigger-iptables.8.gz
+# Source3-md5:	798818abd2b963c6c2dc6259cba4c661
+BuildRequires:	gdbm-devel
+BuildRequires:	pam-devel
+Requires:	policycoreutils-python
+Patch0:		shield_purge_segfault.patch
+Patch1:		shield-trigger-iptables.patch
+BuildRoot:	%{tmpdir}/%{name}-%{version}-root-%(id -u -n)
+
+%description
+This is a pam module that supports brute force blocking against pam
+authentication mechanisms.
+
+%prep
+%setup -q -n %{modulename}-%{version}
+%patch0 -p0
+%patch1 -p0
+
+# disable debug by default
+sed -i -e 's/debug on/debug off/' shield.conf
+# change to block all users for failed attempts
+sed -i -e 's/block unknown-users/block all-users/' shield.conf
+# reduce connections before block from 10 to 3
+sed -i -e 's/max_conns 10/max_conns 3/' shield.conf
+# reduce retention time from 1 week to 1 hour
+sed -i -e 's/retention 1w/retention 1h/' shield.conf
+# change the default behavior from shield-trigger to shield-trigger-iptables
+# this uses iptables instead of route to block brute force attack
+sed -i -e 's/shield\-trigger/shield-trigger-iptables/' shield.conf
+
+%build
+# software required -fPIC flag to build
+%{__make} \
+	CC="%{__cc}" \
+	CFLAGS="%{rpmcflags} -fPIC"
+
+%install
+rm -rf $RPM_BUILD_ROOT
+install -d $RPM_BUILD_ROOT{/etc/{security,cron.daily},/%{_lib}/security,%{_sbindir},%{_mandir}/man8,/var/lib/pam_shield}
+install -p pam_shield.so $RPM_BUILD_ROOT/%{_lib}/security
+install -p pam_shield.cron $RPM_BUILD_ROOT%{_sysconfdir}/cron.daily/pam_shield
+install -p shield-trigger $RPM_BUILD_ROOT%{_sbindir}
+install -p shield-trigger-iptables $RPM_BUILD_ROOT%{_sbindir}
+install -p shield-purge $RPM_BUILD_ROOT%{_sbindir}
+cp -p shield.conf $RPM_BUILD_ROOT/etc/security
+cp -p %{SOURCE1} %{SOURCE2} %{SOURCE3} $RPM_BUILD_ROOT%{_mandir}/man8
+
+%clean
+rm -rf $RPM_BUILD_ROOT
+
+%if 0
+%post
+semanage fcontext -a -t var_auth_t '/var/lib/pam_shield' 2>/dev/null || :
+restorecon -R /var/lib/pam_shield || :
+
+%postun
+if [ $1 -eq 0 ]; then
+	semanage fcontext -d -t var_auth_t '/var/lib/pam_shield' 2>/dev/null || :
+	if [ -e "/var/lib/pam_shield/db" ]; then
+		rm -f /var/lib/pam_shield/db
+	fi
+fi
+%endif
+
+%files
+%defattr(644,root,root,755)
+%doc INSTALL README CREDITS Changelog
+%config(noreplace) %verify(not md5 mtime size) /etc/security/shield.conf
+%attr(755,root,root) /%{_lib}/security/pam_shield.so
+%attr(755,root,root) %{_sbindir}/shield-trigger
+%attr(755,root,root) %{_sbindir}/shield-purge
+%attr(755,root,root) %{_sbindir}/shield-trigger-iptables
+%{_mandir}/man8/shield-trigger.8*
+%{_mandir}/man8/shield-purge.8*
+%{_mandir}/man8/shield-trigger-iptables.8*
+%dir /var/lib/pam_shield
+%attr(755,root,root) /etc/cron.daily/pam_shield
diff --git a/shield-trigger-iptables.patch b/shield-trigger-iptables.patch
new file mode 100644
index 0000000..2d10da3
--- /dev/null
+++ b/shield-trigger-iptables.patch
@@ -0,0 +1,38 @@
+--- shield-trigger-iptables	2011-01-12 13:59:18.000000000 -0600
++++ shield-trigger-iptables	2011-04-30 18:31:36.373742766 -0500
+@@ -32,6 +32,25 @@
+ 		IPT=ip6tables
+ 	fi
+ 
++#	switch -A for iptables to -I
++	if [ "$1" == "-A" ]
++	then
++		TASK="-I"
++	else
++		TASK="-D"
++	fi
++
++#	check to see if pam_shield chain exists and create if necessary
++	if [ "$TASK" == "-I" ]
++	then
++		CHAIN_TEST=`$IPT -L pam_shield 2>/dev/null`
++		if [ -z "$CHAIN_TEST" ]
++		then
++			"$IPT" -N pam_shield
++			"$IPT" -I pam_shield -j DROP
++		fi
++	fi
++
+ #
+ #	CUSTOMIZE THIS RULE
+ #
+@@ -43,7 +62,8 @@
+ #	* put in the correct port number (22 is ssh)
+ #	* add additional rules for additional services as needed
+ #
+-	"$IPT" "$1" INPUT -i eth0 -p tcp -s "$2" --destination-port 22 -j pam_shield
++
++	"$IPT" "$TASK" INPUT -i eth0 -p tcp -s "$2" -j pam_shield
+ 
+ #	mail -s "[security] pam_shield blocked $2" root <<EOF
+ #Another monkey kept off our backs ...
diff --git a/shield_purge_segfault.patch b/shield_purge_segfault.patch
new file mode 100644
index 0000000..9e762a9
--- /dev/null
+++ b/shield_purge_segfault.patch
@@ -0,0 +1,10 @@
+--- shield_purge.c	2011-03-26 23:00:30.664610809 -0500
++++ shield_purge.c	2011-03-26 23:39:42.983519849 -0500
+@@ -74,6 +74,7 @@
+ 	{ "dry-run",	0, NULL, 'n' },
+ 	{ "list",		0, NULL, 'l' },
+ 	{ "force",		0, NULL, 'f' },
++	{ 0,	0, NULL, 0 },
+ };
+ 
+ 	while((opt = getopt_long(argc, argv, "hdc:nlf", long_options, NULL)) != -1) {
================================================================

---- gitweb:

http://git.pld-linux.org/gitweb.cgi/packages/pam-pam_shield.git/commitdiff/ad55c38f6b03104ed965012b3c5b4941b1e35e7c



More information about the pld-cvs-commit mailing list