From 71b4f79db5d87aba6d59d5e84c4181d7af0486c5 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Wed, 8 Oct 2014 20:47:40 +0000 Subject: [PATCH] Add pam_shield role to replace denyhosts on rhel7 machines --- roles/pam_shield/files/shield.conf | 103 +++++++++++++++++++++++++++++ roles/pam_shield/files/sshd | 16 +++++ roles/pam_shield/tasks/main.yml | 16 +++++ 3 files changed, 135 insertions(+) create mode 100644 roles/pam_shield/files/shield.conf create mode 100644 roles/pam_shield/files/sshd create mode 100644 roles/pam_shield/tasks/main.yml diff --git a/roles/pam_shield/files/shield.conf b/roles/pam_shield/files/shield.conf new file mode 100644 index 0000000000..9847147557 --- /dev/null +++ b/roles/pam_shield/files/shield.conf @@ -0,0 +1,103 @@ +# +# /etc/security/shield.conf +# + +# +# log debugging info to syslog +# +debug off + +# +# block all-users blocks only unknown users +# block all-users blocks everyone +# +block all-users + +# +# is it OK for the remote host to have no DNS entry? +# +allow_missing_dns yes + +# +# is it OK for the remote host to have no reverse DNS entry? +# +allow_missing_reverse yes + +# +# allow these hosts or networks by name +# +allow localhost +# allow .localdomain + +#bastion +allow 10.5.126.11 +allow 10.5.126.12 +allow 192.168.0.1 +#lockbox +allow 10.5.126.23 +# don't block lockbox's remote addr, either +allow 209.132.181.6 + +#noc1 +allow noc1.phx2.fedoraproject.org +allow 10.5.126.41 +allow 192.168.1.10 +allow 209.132.181.35 + +# RDU NAT +allow 66.187.233.202 +allow 66.187.233.206 +# RH NAT +allow 66.187.230.200 +# PHX2 NAT +allow 209.132.181.102 +# tlv RHT NAT +allow 66.187.237.10 +# brno RHT NAT +allow 209.132.186.34 +# IUD RHT NAT +allow 66.187.233.203 + +# +# never lock out this network +# You should list all your local networks here to make sure no local user can +# lock you out from the inside +# +allow 127.0.0.1/255.0.0.0 + +# this syntax is also supported: +#allow 127.0.0.1/8 + + +# +# location of the database file +# +db /var/lib/pam_shield/db + +# +# external command that is run when a site should be blocked/unblocked +# +trigger_cmd /usr/sbin/shield-trigger + +# +# number of connections per interval from one site that triggers us +# +max_conns 15 + +# +# the interval and retention period may be specified in seconds, or +# with a postfix: +# +# 1s seconds 1w weeks +# 1m minutes 1M months (30 days) +# 1h hours 1y years +# 1d days +# +interval 5m + +# +# period until the entry expires from the database again +# +retention 5d + +# EOB diff --git a/roles/pam_shield/files/sshd b/roles/pam_shield/files/sshd new file mode 100644 index 0000000000..1e7e64504d --- /dev/null +++ b/roles/pam_shield/files/sshd @@ -0,0 +1,16 @@ +#%PAM-1.0 +auth required pam_shield.so +auth required pam_sepermit.so +auth substack password-auth +auth include postlogin +account required pam_nologin.so +account include password-auth +password include password-auth +# pam_selinux.so close should be the first session rule +session required pam_selinux.so close +session required pam_loginuid.so +# pam_selinux.so open should only be followed by sessions to be executed in the user context +session required pam_selinux.so open env_params +session optional pam_keyinit.so force revoke +session include password-auth +session include postlogin diff --git a/roles/pam_shield/tasks/main.yml b/roles/pam_shield/tasks/main.yml new file mode 100644 index 0000000000..b031f00248 --- /dev/null +++ b/roles/pam_shield/tasks/main.yml @@ -0,0 +1,16 @@ +--- +#install pam_shield +- name: install pam_shield + yum: name=pam_shield state=installed + tags: + - packages + +- name: /etc/security/shield.conf + copy: src=shield.conf dest=/etc/security/shield.conf + tags: + - config + +- name: Put new sshd pam file in place + copy: src=sshd dest=/etc/pam.d/sshd + tags: + - config