> > > I've tried that too and it was a good suggestion > > > as su now crashes only if you enter a wrong password. > > > I've also tried to rebuild rpmforge srpm with no luck. > > > Could you really make this thing work? I mean did it > > > actually block anything after a series of failed logins? > > > > As I said, we use it for various services on all Internet-bound systems. > > And yes it works fine. Example: /etc/pam.d/sshd > > > > ------ > > #%PAM-1.0 > > auth optional pam_shield.so > > auth include system-auth > > account required pam_nologin.so > > account include system-auth > > password include system-auth > > session optional pam_keyinit.so force revoke > > session include system-auth > > session required pam_loginuid.so > > ------ > > > > You don't want to add this to /etc/pam.d/system-auth simply because it > > makes no sense to enable pam_shield for things like su, screen, reboot, > > etc... If you understand what pam_shield does (eg. read the > > documentation), you'd never want to enable it for all PAM services that > > use system-auth. EVER. > > I'm in no way a pam expert, yes. > So I have to rely on the documentation which comes with the package. > > # cat /usr/share/doc/pam_shield-0.9.3/INSTALL > ... > If you want to use pam_shield for all services, > edit /etc/pam.d/common-auth. > Add the line > > auth optional pam_shield.so > > and that's that. > ... > > And that's about the only hint on how and where to enable pam_shield. > I've tried to add this line to /etc/pam.d/sshd too. > Fortunately it didn't crash anything but it didn't work either. Here's the story for those interested. With the default of allow_missing_dns no allow_missing_reverse no pam_shield DOESN'T BLOCK hosts with no or incomplete dns entries, which is a surprise. Should I say a big one? The reason it didn't work for me was that bind wasn't adding reverse maps for my local hosts because of screwed up zone file permissions. On a side note, when testing pam_shield with a recommended retention period of 60 secs you have to run /etc/cron.daily/pam-shield manually to release expired locks. HTH