[packages/pam-pam_shield] new, version 0.9.5

Wed, 13 Mar 2013 06:08:38 -0700 

commit ad55c38f6b03104ed965012b3c5b4941b1e35e7c
Author: Elan Ruusamäe <[email protected]>
Date:   Wed Mar 13 15:07:51 2013 +0200

    new, version 0.9.5
    
    based on fedora package
    b7b5f597c0e7a40447682bd43358738ddb2dec17

 pam-pam_shield.spec           | 93 +++++++++++++++++++++++++++++++++++++++++++
 shield-trigger-iptables.patch | 38 ++++++++++++++++++
 shield_purge_segfault.patch   | 10 +++++
 3 files changed, 141 insertions(+)
---
diff --git a/pam-pam_shield.spec b/pam-pam_shield.spec
new file mode 100644
index 0000000..1b8e00a
--- /dev/null
+++ b/pam-pam_shield.spec
@@ -0,0 +1,93 @@
+# TODO
+# - no idea about selinux stuff in scriptlets. enable if tested and working
+%define                modulename      pam_shield
+Summary:       Pam Shield - A pam module to counter brute force attacks
+Name:          pam-%{modulename}
+Version:       0.9.5
+Release:       0.1
+License:       GPL v2
+Group:         Libraries
+URL:           http://www.heiho.net/pam_shield/index.html
+Source0:       http://www.heiho.net/pam_shield/pam_shield-%{version}.tar.gz
+# Source0-md5: cbfcd96fad38943ed78fd4d37307aba2
+Source1:       shield-trigger.8.gz
+# Source1-md5: df589554cb2a80dca43793e127090a0b
+Source2:       shield-purge.8.gz
+# Source2-md5: 88ba04e0a41db33d386b723358cc76b0
+Source3:       shield-trigger-iptables.8.gz
+# Source3-md5: 798818abd2b963c6c2dc6259cba4c661
+BuildRequires: gdbm-devel
+BuildRequires: pam-devel
+Requires:      policycoreutils-python
+Patch0:                shield_purge_segfault.patch
+Patch1:                shield-trigger-iptables.patch
+BuildRoot:     %{tmpdir}/%{name}-%{version}-root-%(id -u -n)
+
+%description
+This is a pam module that supports brute force blocking against pam
+authentication mechanisms.
+
+%prep
+%setup -q -n %{modulename}-%{version}
+%patch0 -p0
+%patch1 -p0
+
+# disable debug by default
+sed -i -e 's/debug on/debug off/' shield.conf
+# change to block all users for failed attempts
+sed -i -e 's/block unknown-users/block all-users/' shield.conf
+# reduce connections before block from 10 to 3
+sed -i -e 's/max_conns 10/max_conns 3/' shield.conf
+# reduce retention time from 1 week to 1 hour
+sed -i -e 's/retention 1w/retention 1h/' shield.conf
+# change the default behavior from shield-trigger to shield-trigger-iptables
+# this uses iptables instead of route to block brute force attack
+sed -i -e 's/shield\-trigger/shield-trigger-iptables/' shield.conf
+
+%build
+# software required -fPIC flag to build
+%{__make} \
+       CC="%{__cc}" \
+       CFLAGS="%{rpmcflags} -fPIC"
+
+%install
+rm -rf $RPM_BUILD_ROOT
+install -d 
$RPM_BUILD_ROOT{/etc/{security,cron.daily},/%{_lib}/security,%{_sbindir},%{_mandir}/man8,/var/lib/pam_shield}
+install -p pam_shield.so $RPM_BUILD_ROOT/%{_lib}/security
+install -p pam_shield.cron $RPM_BUILD_ROOT%{_sysconfdir}/cron.daily/pam_shield
+install -p shield-trigger $RPM_BUILD_ROOT%{_sbindir}
+install -p shield-trigger-iptables $RPM_BUILD_ROOT%{_sbindir}
+install -p shield-purge $RPM_BUILD_ROOT%{_sbindir}
+cp -p shield.conf $RPM_BUILD_ROOT/etc/security
+cp -p %{SOURCE1} %{SOURCE2} %{SOURCE3} $RPM_BUILD_ROOT%{_mandir}/man8
+
+%clean
+rm -rf $RPM_BUILD_ROOT
+
+%if 0
+%post
+semanage fcontext -a -t var_auth_t '/var/lib/pam_shield' 2>/dev/null || :
+restorecon -R /var/lib/pam_shield || :
+
+%postun
+if [ $1 -eq 0 ]; then
+       semanage fcontext -d -t var_auth_t '/var/lib/pam_shield' 2>/dev/null || 
:
+       if [ -e "/var/lib/pam_shield/db" ]; then
+               rm -f /var/lib/pam_shield/db
+       fi
+fi
+%endif
+
+%files
+%defattr(644,root,root,755)
+%doc INSTALL README CREDITS Changelog
+%config(noreplace) %verify(not md5 mtime size) /etc/security/shield.conf
+%attr(755,root,root) /%{_lib}/security/pam_shield.so
+%attr(755,root,root) %{_sbindir}/shield-trigger
+%attr(755,root,root) %{_sbindir}/shield-purge
+%attr(755,root,root) %{_sbindir}/shield-trigger-iptables
+%{_mandir}/man8/shield-trigger.8*
+%{_mandir}/man8/shield-purge.8*
+%{_mandir}/man8/shield-trigger-iptables.8*
+%dir /var/lib/pam_shield
+%attr(755,root,root) /etc/cron.daily/pam_shield
diff --git a/shield-trigger-iptables.patch b/shield-trigger-iptables.patch
new file mode 100644
index 0000000..2d10da3
--- /dev/null
+++ b/shield-trigger-iptables.patch
@@ -0,0 +1,38 @@
+--- shield-trigger-iptables    2011-01-12 13:59:18.000000000 -0600
++++ shield-trigger-iptables    2011-04-30 18:31:36.373742766 -0500
+@@ -32,6 +32,25 @@
+               IPT=ip6tables
+       fi
+ 
++#     switch -A for iptables to -I
++      if [ "$1" == "-A" ]
++      then
++              TASK="-I"
++      else
++              TASK="-D"
++      fi
++
++#     check to see if pam_shield chain exists and create if necessary
++      if [ "$TASK" == "-I" ]
++      then
++              CHAIN_TEST=`$IPT -L pam_shield 2>/dev/null`
++              if [ -z "$CHAIN_TEST" ]
++              then
++                      "$IPT" -N pam_shield
++                      "$IPT" -I pam_shield -j DROP
++              fi
++      fi
++
+ #
+ #     CUSTOMIZE THIS RULE
+ #
+@@ -43,7 +62,8 @@
+ #     * put in the correct port number (22 is ssh)
+ #     * add additional rules for additional services as needed
+ #
+-      "$IPT" "$1" INPUT -i eth0 -p tcp -s "$2" --destination-port 22 -j 
pam_shield
++
++      "$IPT" "$TASK" INPUT -i eth0 -p tcp -s "$2" -j pam_shield
+ 
+ #     mail -s "[security] pam_shield blocked $2" root <<EOF
+ #Another monkey kept off our backs ...
diff --git a/shield_purge_segfault.patch b/shield_purge_segfault.patch
new file mode 100644
index 0000000..9e762a9
--- /dev/null
+++ b/shield_purge_segfault.patch
@@ -0,0 +1,10 @@
+--- shield_purge.c     2011-03-26 23:00:30.664610809 -0500
++++ shield_purge.c     2011-03-26 23:39:42.983519849 -0500
+@@ -74,6 +74,7 @@
+       { "dry-run",    0, NULL, 'n' },
+       { "list",               0, NULL, 'l' },
+       { "force",              0, NULL, 'f' },
++      { 0,    0, NULL, 0 },
+ };
+ 
+       while((opt = getopt_long(argc, argv, "hdc:nlf", long_options, NULL)) != 
-1) {
================================================================

---- gitweb:

http://git.pld-linux.org/gitweb.cgi/packages/pam-pam_shield.git/commitdiff/ad55c38f6b03104ed965012b3c5b4941b1e35e7c

_______________________________________________
pld-cvs-commit mailing list
[email protected]
http://lists.pld-linux.org/mailman/listinfo/pld-cvs-commit

Reply via email to