pam_shield by Walter de Jong <walter@heiho.net> (C) 2007-2011 pam_shield COMES WITH NO WARRANTY. synctool IS FREE SOFTWARE. pam_shield is distributed under terms described in the GNU General Public License. See the README file for some information about pam_shield. Read the README and this file carefully. Failure to setup pam_shield correctly, will render it useless. Building pam_shield ------------------- Pre-reqs on a Debian or Ubuntu-like system: libpam0g-dev libgdbm-dev Pre-reqs on a RedHat or Fedora-like system: pam-devel gdbm-devel There is no 'configure' script. Edit the Makefile to customize the installation directories. (install-sh is provided just in case you have no 'install' command). pam_shield consists of: - one PAM module: /lib/security/pam_shield.so or /lib64/security/pam_shield.so on 64-bit systems - one binary: /usr/sbin/shield-purge - one shell script: /usr/sbin/shield-trigger - one cron script: /etc/cron.daily/pam-shield - one config file: /etc/security/shield.conf - a gdbm database: /var/lib/pam_shield/db Type 'make' to build the software. Do a 'make install' as root to install the software. You may do 'make uninstall' to remove the software. Configuring pam_shield ---------------------- Edit the config file /etc/security/shield.conf and make sure all paths are correct. Also, create an 'allow' line for your local networks. (If you do not list your local networks, a local user may be able to lock you out (DoS attack)). pam_shield uses a shell script named shield-trigger to block and unblock sites. It will use null-routing to do so. A script named shield-trigger-iptables is provided too, which uses iptables to block sites, but beware that it needs system-specific customization to work correctly. Configuring PAM --------------- The PAM config files usually reside under /etc/pam.d/ Note that exact content of the PAM config files tends to differ between distributions. pam_shield.so must be included in the PAM configuration file for any services where it might be useful. In general, /etc/pam.d/sshd. Different configurations are possible, depending on your taste. There is a certain "play" between the config of your PAM stack and what you put into the shield.conf file, so pay attention. Here are some examples of configurations: 1. Block many failing login attempts auth sufficient pam_unix.so auth required pam_shield.so Explanation: good logins will succeed by pam_unix, and pam_shield will not even be invoked. Bad logins fall through and are caught by pam_shield, which may activate null-routing for the failing IPaddress. The shield.conf option 'block unknown-users' will do what it says, and 'block all-users' will activate the IP block even for known users _if_ there are many failed logins for that user. The options 'allow_missing_dns' and 'allow_missing_reverse' do not do anything useful in this configuration. 2. Block suspicious looking folks auth requisite pam_shield.so auth include system-auth Explanation: Every login attempt will be screened by pam_shield. If all looks well, the system may continue to authenticate the user as usual. If all is not well, pam_shield will abort the login immediately. The shield.conf options 'allow_missing_dns' and 'allow_missing_reverse' play an important role here. Missing DNS entries are suspicious because hackers use this to try stay hidden. However, pam_shield will still allow logins for _known_ users if you set 'block unknown-users'. If you enable 'block all-users', it is easy to lock yourself out from a machine that has no DNS entry. You will also block legitimate users that do too many logins in a short period of time. For example, when a user does this: for file in *; do scp $file remotemachine: ; done NB. If there are other "required" modules in the stack that must run no matter what, you may change "requisite" to "required". 3. Block login attempts no matter what auth optional pam_shield.so auth include common-auth Explanation: Let pam_shield do its job, and then do the usual stuff to authenticate the user. This is not an optimal configuration. "optional" means that pam_shield can not abort the login attempt (unless it is already null-routing the IP). The shield.conf parameters 'allow_missing_dns' and 'allow_missing_reverse' have no useful meaning here, they don't do anything in this configuration. So, if you want to be nice to the users of your system, go for config #1. If you are more paranoid, go for config #2. Whatever you do, make sure pam_shield is not the only auth module that is listed for the service. pam_shield does not do any authentication by itself and trying to run it as standalone auth module will leave your system wide open. Testing pam_shield ------------------ When testing pam_shield, be wary that you are going to lock yourself out. The safest way to test it, is to have console access with a root prompt open just in case things go wrong and you can not access your machine anymore. Edit /etc/security/shield.conf and set max_conns to a small value like 3 or so. Set the interval and the retention period both to 60 seconds. Set debug on. Now simulate an attack on your system by doing 4 quick logins to a non-existing user from a remote host. If you check the syslog (often /var/log/secure or /var/log/auth.log) you will see that pam_shield is triggering and later, expiring. To see what hosts are blocked, use any of the following commands (whichever you prefer): netstat -r route ip route show If you check the debug log (often /var/log/debug) you will see more debug info from pam_shield. pam_shield should now be completely installed and working. Edit /etc/security/shield.conf and enter sensible values for max_conns, interval and retention. It is wise to periodically check whether pam_shield is still operating correctly. EOB