This file is indexed.

/usr/sbin/shield-trigger-iptables is in libpam-shield 0.9.6-1.1.

This file is owned by root:root, with mode 0o755.

The actual contents of the file can be viewed below.

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
#! /bin/sh
#
#	shield-trigger-iptables	WJ107
#
#   pam_shield 0.9.6  WJ107
#   Copyright (C) 2007-2012  Walter de Jong <walter@heiho.net>
#   and Carl Thompson
#
#   This program is free software; you can redistribute it and/or modify
#   it under the terms of the GNU General Public License as published by
#   the Free Software Foundation; either version 2 of the License, or
#   (at your option) any later version.
#
#   This program is distributed in the hope that it will be useful,
#   but WITHOUT ANY WARRANTY; without even the implied warranty of
#   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#   GNU General Public License for more details.
#
#   You should have received a copy of the GNU General Public License
#   along with this program; if not, write to the Free Software
#   Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
#

run_iptables() {
#
#	louzy detection of IPv4 or IPv6 address
#
	IPT=`echo "$2" | sed 's/[0-9\.]//g'`
	if [ -z "$IPT" ]
	then
		IPT=iptables
	else
		IPT=ip6tables
	fi

#	switch -A for iptables to -I
	if [ "$1" == "-A" ]
	then
		TASK="-I"
	else
		TASK="-D"
	fi

#	check to see if pam_shield chain exists and create if necessary
	if [ "$TASK" == "-I" ]
	then
		CHAIN_TEST=`$IPT -L pam_shield 2>/dev/null`
		if [ -z "$CHAIN_TEST" ]
		then
			"$IPT" -N pam_shield
			"$IPT" -I pam_shield -j DROP
		fi
	fi

#
#	CUSTOMIZE THIS RULE if you want to
#
#	$TASK is the iptables command: -A/-I or -D
#	$2 is the IP number
#
#	* put in the correct chain name (pam_shield or INPUT)
#	* put in the correct network interface name (e.g. -i eth0)
#         Currently blocks on all interfaces
#	* put in a port number (e.g.--destination-port 22 for ssh only) 
#         Currently blocks all ports
#	* add additional rules for additional services as needed
#

	"$IPT" "$TASK" INPUT -p tcp -s "$2" -j pam_shield

#	mail -s "[security] pam_shield blocked $2" root <<EOF
#Another monkey kept off our backs ...
#EOF
}


### usually no editing is needed beyond this point ###


usage() {
	echo "shield-trigger-iptables WJ107"
	echo "usage: ${0##*/} [add|del] <IP number>"
	echo
	echo "shield-trigger-iptables is normally called by the pam_shield PAM module"
	exit 1
}


PATH=/sbin:/usr/sbin:/bin:/usr/bin

if [ -z "$2" ]
then
	usage
fi

case "$1" in
	add)
		logger -i -t shield-trigger -p authpriv.info "blocking $2"

		CMD="-A"
		IP=$2
		;;

	del)
		logger -i -t shield-trigger -p authpriv.info "unblocking $2"

		CMD="-D"
		IP=$2
		;;

	*)
		usage
		;;
esac

run_iptables "$CMD" "$IP"

# EOB