/usr/sbin/shield-trigger-iptables is in libpam-shield 0.9.6-1.1.
This file is owned by root:root, with mode 0o755.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 | #! /bin/sh
#
# shield-trigger-iptables WJ107
#
# pam_shield 0.9.6 WJ107
# Copyright (C) 2007-2012 Walter de Jong <walter@heiho.net>
# and Carl Thompson
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#
run_iptables() {
#
# louzy detection of IPv4 or IPv6 address
#
IPT=`echo "$2" | sed 's/[0-9\.]//g'`
if [ -z "$IPT" ]
then
IPT=iptables
else
IPT=ip6tables
fi
# switch -A for iptables to -I
if [ "$1" == "-A" ]
then
TASK="-I"
else
TASK="-D"
fi
# check to see if pam_shield chain exists and create if necessary
if [ "$TASK" == "-I" ]
then
CHAIN_TEST=`$IPT -L pam_shield 2>/dev/null`
if [ -z "$CHAIN_TEST" ]
then
"$IPT" -N pam_shield
"$IPT" -I pam_shield -j DROP
fi
fi
#
# CUSTOMIZE THIS RULE if you want to
#
# $TASK is the iptables command: -A/-I or -D
# $2 is the IP number
#
# * put in the correct chain name (pam_shield or INPUT)
# * put in the correct network interface name (e.g. -i eth0)
# Currently blocks on all interfaces
# * put in a port number (e.g.--destination-port 22 for ssh only)
# Currently blocks all ports
# * add additional rules for additional services as needed
#
"$IPT" "$TASK" INPUT -p tcp -s "$2" -j pam_shield
# mail -s "[security] pam_shield blocked $2" root <<EOF
#Another monkey kept off our backs ...
#EOF
}
### usually no editing is needed beyond this point ###
usage() {
echo "shield-trigger-iptables WJ107"
echo "usage: ${0##*/} [add|del] <IP number>"
echo
echo "shield-trigger-iptables is normally called by the pam_shield PAM module"
exit 1
}
PATH=/sbin:/usr/sbin:/bin:/usr/bin
if [ -z "$2" ]
then
usage
fi
case "$1" in
add)
logger -i -t shield-trigger -p authpriv.info "blocking $2"
CMD="-A"
IP=$2
;;
del)
logger -i -t shield-trigger -p authpriv.info "unblocking $2"
CMD="-D"
IP=$2
;;
*)
usage
;;
esac
run_iptables "$CMD" "$IP"
# EOB
|