Add pam_shield role to replace denyhosts on rhel7 machines

2014-10-08 20:47:40 +00:00 · 2014-10-08 20:47:40 +00:00 · 71b4f79db5
commit 71b4f79db5
parent aa1eb5fa09
3 changed files with 135 additions and 0 deletions
--- a/roles/pam_shield/files/shield.conf
+++ b/roles/pam_shield/files/shield.conf
@ -0,0 +1,103 @@
+#
+#	/etc/security/shield.conf
+#
+
+#
+#	log debugging info to syslog
+#
+debug off
+
+#
+#	block all-users		blocks only unknown users
+#	block all-users			blocks everyone
+#
+block all-users
+
+#
+#	is it OK for the remote host to have no DNS entry?
+#
+allow_missing_dns yes
+
+#
+#	is it OK for the remote host to have no reverse DNS entry?
+#
+allow_missing_reverse yes
+
+#
+#	allow these hosts or networks by name
+#
+allow localhost
+# allow .localdomain
+
+#bastion
+allow 10.5.126.11
+allow 10.5.126.12
+allow 192.168.0.1
+#lockbox
+allow 10.5.126.23
+# don't block lockbox's remote addr, either
+allow 209.132.181.6
+
+#noc1
+allow noc1.phx2.fedoraproject.org
+allow 10.5.126.41
+allow 192.168.1.10
+allow 209.132.181.35
+
+# RDU NAT
+allow 66.187.233.202
+allow 66.187.233.206
+# RH NAT 
+allow 66.187.230.200
+# PHX2 NAT
+allow 209.132.181.102
+# tlv RHT NAT
+allow 66.187.237.10
+# brno RHT NAT
+allow 209.132.186.34
+# IUD RHT NAT
+allow 66.187.233.203
+
+#
+#	never lock out this network
+#	You should list all your local networks here to make sure no local user can
+#	lock you out from the inside
+#
+allow 127.0.0.1/255.0.0.0
+
+# this syntax is also supported:
+#allow 127.0.0.1/8
+
+
+#
+#	location of the database file
+#
+db /var/lib/pam_shield/db
+
+#
+#	external command that is run when a site should be blocked/unblocked
+#
+trigger_cmd /usr/sbin/shield-trigger
+
+#
+#	number of connections per interval from one site that triggers us
+#
+max_conns 15
+
+#
+#	the interval and retention period may be specified in seconds, or
+#	with a postfix:
+#
+#		1s	seconds				1w	weeks
+#		1m	minutes				1M	months (30 days)
+#		1h	hours				1y	years
+#		1d	days
+#
+interval 5m
+
+#
+#	period until the entry expires from the database again
+#
+retention 5d
+
+# EOB
--- a/roles/pam_shield/files/sshd
+++ b/roles/pam_shield/files/sshd
@ -0,0 +1,16 @@
+#%PAM-1.0
+auth       required     pam_shield.so
+auth       required     pam_sepermit.so
+auth       substack     password-auth
+auth       include      postlogin
+account    required     pam_nologin.so
+account    include      password-auth
+password   include      password-auth
+# pam_selinux.so close should be the first session rule
+session    required     pam_selinux.so close
+session    required     pam_loginuid.so
+# pam_selinux.so open should only be followed by sessions to be executed in the user context
+session    required     pam_selinux.so open env_params
+session    optional     pam_keyinit.so force revoke
+session    include      password-auth
+session    include      postlogin
--- a/roles/pam_shield/tasks/main.yml
+++ b/roles/pam_shield/tasks/main.yml
@ -0,0 +1,16 @@
+---
+#install pam_shield
+- name: install pam_shield
+  yum: name=pam_shield state=installed
+  tags:
+  - packages
+
+- name: /etc/security/shield.conf
+  copy: src=shield.conf dest=/etc/security/shield.conf
+  tags:
+  - config
+
+- name: Put new sshd pam file in place
+  copy: src=sshd dest=/etc/pam.d/sshd
+  tags:
+  - config