Timothy Murphy wrote:> I've seen pam_shield recommended several times
> for protecting against malicious login attempts;
> but I'm not quite clear if this requires one
> to be already running some pam-based software?
>
> Also, I'm running shorewall,
> and would prefer a shorewall based protection,
> but the advice I read on googling for this
> seemed excessively complicated.
>
>
>
It is my understanding that most, if not all authentication in CentOS
(and most of the major linux distributions) is routed through PAM, and
thus pam_shield could probably be inserted in the authentication path.
Since shorewall is linux based, I would think you could install pam_shield.
Pam shield does sound useful and I intend to deploy on several of my
systems. Another alternative. which I find attractive in cases where
access is only for the purpose of system management and not for end
user access, is fwknop http://cipherdyne.org/fwknop/
With fwknop, you completely block access to your services. Then when
you remotely authenticate to fwknopd, it adds iptables rules to open up
the ports
that you request access to, only from your ip address. fwknopd uses
promiscuous mode to sniff the network for udp authentication packets, so
a remote attacker has no idea that it is running since there is no
listener. Remote users simply don't see the services that are blocked.
The fwknop client uses gpg keys for authentication, so if you set your
keyrings and timeouts up correctly, you won't have to keep typing a
password to reauthenticate.
I have been running fwknop for several years and have found it to be
quite solid and reliable. I don't know what shorewall would do about
having another application add rules to the iptables chains.
Nataraj