[CentOS] Ignorant question on pam_shield

Sun Aug 29 18:33:49 UTC 2010
Nataraj <incoming-centos at rjl.com>

Timothy Murphy wrote:
> I've seen pam_shield recommended several times
> for protecting against malicious login attempts;
> but I'm not quite clear if this requires one
> to be already running some pam-based software?
>
> Also, I'm running shorewall,
> and would prefer a shorewall based protection,
> but the advice I read on googling for this
> seemed excessively complicated.
>
>
>   
It is my understanding that most, if not all authentication in CentOS 
(and most of the major linux distributions) is routed through PAM, and 
thus pam_shield could probably be inserted in the authentication path.  
Since shorewall is linux based, I would think you could install pam_shield.

Pam shield does sound useful and I intend to deploy on several of my 
systems.  Another alternative. which I find attractive in cases where 
access is only for the purpose of system management and not for  end 
user access, is fwknop http://cipherdyne.org/fwknop/

With fwknop, you completely block access to your services.  Then when 
you remotely authenticate to fwknopd, it adds iptables rules to open up 
the ports
that you request access to, only from your ip address.  fwknopd uses 
promiscuous mode to sniff the network for udp authentication packets, so 
a remote attacker has no idea that it is running since there is no 
listener.  Remote users simply don't see the services that are blocked.  
The fwknop client uses gpg keys for authentication, so if you set your 
keyrings and timeouts up correctly, you won't have to keep typing a 
password to reauthenticate. 

 I have been running fwknop for several years and have found it to be 
quite solid and reliable.  I don't know what shorewall would do about 
having another application add rules to the iptables chains.

Nataraj