All things sysadmin

I’ve since a while back suggested blockhosts to customers who are unable to use firewalls for one reason or another (not always entirely sure what they could be!) but still want to stop brute force attacks on various services.

While I don’t mind ‘hackish’ things, I never really got properly to terms with it, even after writing a patch for it. Today I gave pam_shield a go, and I was surprised over how simple it was.

Just download the tarball, extract it, install gdbm-devel and pam-devel (on RHEL/CentOS machines) and compile it. Then edit /etc/security/shield.conf to your liking. The defaults are alright, but you mightwant to put another network in the allow-list. After that stick: auth optional pam_shield.so at the top of /etc/pam.d/sshd and you’re good to go.

While you test this, I suggest you either use a callback script or set the retention ridiculously low just in case you accidentally lock yourself out. By default, pam_shield null routes offending ips. Should you wish to unblock an IP blocked by mistake, firstly apply appropriate lart to the user in question, then run:

1

route del offending.ip.here gw 127.0.0.1 lo

to drop the null route from the routing table. This said, I have yet to look at a few other solutions out there, such as Fail2Ban, but I really have yet to read or hear anything about it which would sway me away from pam_shield