Name: pam_shield Version: 0.9.5 Release: 8%{?dist} Summary: Pam Shield - A pam module to counter brute force attacks Group: System Environment/Libraries License: GPLv2 URL: http://www.heiho.net/pam_shield/index.html Source0: http://www.heiho.net/pam_shield/pam_shield-0.9.5.tar.gz Source1: shield-trigger.8.gz Source2: shield-purge.8.gz Source3: shield-trigger-iptables.8.gz BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRequires: pam-devel, gdbm-devel Patch0: shield_purge_segfault.patch Patch1: shield-trigger-iptables.patch %description This is a pam module that supports brute force blocking against pam authentication mechanisms. %prep %setup -q -n pam_shield-%{version} %patch0 -p0 -b .shield_purge_segfault %patch1 -p0 -b .shield_trigger_iptables #disable debug by default sed -i -e 's/debug on/debug off/' shield.conf #change to block all users for failed attempts sed -i -e 's/block unknown-users/block all-users/' shield.conf #reduce connections before block from 10 to 3 sed -i -e 's/max_conns 10/max_conns 3/' shield.conf #reduce retention time from 1 week to 1 hour sed -i -e 's/retention 1w/retention 1h/' shield.conf #change the default behavior from shield-trigger to shield-trigger-iptables #this uses iptables instead of route to block brute force attack sed -i -e 's/shield\-trigger/shield-trigger-iptables/' shield.conf %build #software required -fPIC flag to build make CFLAGS="%{optflags} -fPIC" %check %install rm -rf %{buildroot} mkdir -p -m 755 %{buildroot}%{_sysconfdir}/security mkdir -p -m 755 %{buildroot}%{_sysconfdir}/cron.daily mkdir -p -m 755 %{buildroot}%{_sbindir} mkdir -p -m 755 %{buildroot}/%{_lib}/security mkdir -p -m 755 %{buildroot}%{_defaultdocdir}/pam_shield-%{version} mkdir -p -m 755 %{buildroot}%{_mandir}/man8 install -m 755 pam_shield.so %{buildroot}/%{_lib}/security/ install -m 755 -T pam_shield.cron %{buildroot}%{_sysconfdir}/cron.daily/pam_shield install -m 755 shield-trigger %{buildroot}%{_sbindir}/ install -m 755 shield-trigger-iptables %{buildroot}%{_sbindir}/ install -m 755 shield-purge %{buildroot}%{_sbindir}/ install -m 644 shield.conf %{buildroot}%{_sysconfdir}/security/ mkdir -p -m 700 %{buildroot}/var/lib/pam_shield mkdir -p -m 755 %{buildroot}%{_defaultdocdir}/pam_shield-%{version} install -m 644 INSTALL %{buildroot}%{_defaultdocdir}/pam_shield-%{version}/ install -m 644 README %{buildroot}%{_defaultdocdir}/pam_shield-%{version}/ install -m 644 GPL %{buildroot}%{_defaultdocdir}/pam_shield-%{version}/LICENSE install -m 644 CREDITS %{buildroot}%{_defaultdocdir}/pam_shield-%{version}/ install -m 644 Changelog %{buildroot}%{_defaultdocdir}/pam_shield-%{version}/ install -m 644 %{SOURCE1} %{buildroot}%{_mandir}/man8/ install -m 644 %{SOURCE2} %{buildroot}%{_mandir}/man8/ install -m 644 %{SOURCE3} %{buildroot}%{_mandir}/man8/ %clean rm -rf %{buildroot} %files %defattr(-,root,root) /%{_lib}/security/pam_shield.so %dir %{_defaultdocdir}/pam_shield-%{version}/ %doc %{_defaultdocdir}/pam_shield-%{version}/INSTALL %doc %{_defaultdocdir}/pam_shield-%{version}/README %doc %{_defaultdocdir}/pam_shield-%{version}/LICENSE %doc %{_defaultdocdir}/pam_shield-%{version}/CREDITS %doc %{_defaultdocdir}/pam_shield-%{version}/Changelog %doc %{_mandir}/man8/shield-trigger.8.gz %doc %{_mandir}/man8/shield-purge.8.gz %doc %{_mandir}/man8/shield-trigger-iptables.8.gz %config(noreplace) %{_sysconfdir}/security/shield.conf %dir /var/lib/pam_shield %{_sysconfdir}/cron.daily/pam_shield %{_sbindir}/shield-trigger %{_sbindir}/shield-purge %{_sbindir}/shield-trigger-iptables %changelog * Sat Apr 30 2011 Carl Thompson <fedora@red-dragon.com> 0.9.5-8 - patches shield-trigger-iptables to insert rules instead of add - and added checks for chain existance and creation if necessary - before adding rules to iptables/ip6tables and dropped the - destination port so it can be used for any service * Sun Apr 10 2011 Carl Thompson <fedora@red-dragon.com> 0.9.5-7 - restored /var/lib/pam_shield to 700 * Sat Apr 9 2011 Carl Thompson <fedora@red-dragon.com> 0.9.5-6 - fixed the permissions duplications - changed permissions on /var/lib/pam_shield to 755 - changed permissions on pam_shield.so to 755 - removed -s flag from install command to preserve - debuginfo data * Fri Apr 8 2011 Carl Thompson <fedora@red-dragon.com> 0.9.5-5 - fixed issues with my implementation of %%{optflags} - this in turn fixed the empty -debug package * Thu Apr 7 2011 Carl Thompson <fedora@red-dragon.com> 0.9.5-4 - fixed a typo in previous release in %%build section * Thu Apr 7 2011 Carl Thompson <fedora@red-dragon.com> 0.9.5-3 - updated %%build section with %%{optflags} * Mon Mar 28 2011 Carl Thompson <fedora@red-dragon.com> 0.9.5-2 - included shield-trigger-iptables - changed default blocking method from route to iptables - modified default retention policy from 1 week to 1 hour - added man page for shield-trigger-iptables - fixed typos in man page for shield-purge * Sat Mar 26 2011 Carl Thompson <fedora@red-dragon.com> 0.9.5-1 - Initial package