/usr/sbin/shield-trigger-iptables is in libpam-shield 0.9.2-3.2.
This file is owned by root:root, with mode 0o755.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 | #! /bin/sh
#
# shield-trigger.sh WJ107
#
# pam_shield 0.9.2 WJ107
# Copyright (C) 2007 Walter de Jong <walter@heiho.net>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#
run_iptables() {
#
# louzy detection of IPv4 or IPv6 address
#
IPT=`echo "$2" | sed 's/[0-9\.]//g'`
if [ -z "$IPT" ]
then
IPT=iptables
else
IPT=ip6tables
fi
#
# CUSTOMIZE THIS RULE
#
# $1 is the iptables command: -A or -D
# $2 is the IP number
#
# * put in the correct chain name (pam_shield or INPUT)
# * put in the correct network interface name (eth0)
# * put in the correct port number (22 is ssh)
# * add additional rules for additional services as needed
#
"$IPT" "$1" INPUT -p tcp -s "$2" --destination-port 22 -j pam_shield
# mail -s "[security] pam_shield blocked $2" root <<EOF
#Another monkey kept off our backs ...
#EOF
}
### usually no editing is needed beyond this point ###
usage() {
echo "shield-trigger.sh WJ107"
echo "usage: ${0##*/} [add|del] <IP number>"
echo
echo "shield-trigger.sh is normally called by the pam_shield PAM module"
exit 1
}
PATH=/sbin:/usr/sbin:/bin:/usr/bin
if [ -z "$2" ]
then
usage
fi
case "$1" in
add)
logger -i -t shield-trigger -p auth.info "blocking $2"
CMD="-A"
IP=$2
;;
del)
logger -i -t shield-trigger -p auth.info "unblocking $2"
CMD="-D"
IP=$2
;;
*)
usage
;;
esac
run_iptables "$CMD" "$IP"
# EOB
|