--- pam-shield-0.9.2.orig/debian/shield-purge.8 +++ pam-shield-0.9.2/debian/shield-purge.8 @@ -0,0 +1,32 @@ +.TH SHIELD-PURGE 8 " DEC 3 2007" "PAM-SHIELD 0.2.9" "pam-shield" +.SH NAME +\fBshield-purge\fR \- manage hosts rules +.SH SYNOPSIS +shield_purge +.SH DESCRIPTION +A binary for the pam-shield module, shield_purge is not intended to be invoked manualy. +It is a halper program for job in crontab. +.SH OPTIONS +.TP +.B \-h, \-\-help +Display this information +.TP +.B \-c, \-\-conf=file +Specify config file (default: /etc/security/shield.conf) +.TP +.B \-d, \-\-debug +Verbose output for debugging purposes +.TP +.B \-n, \-\-dry\-run +Do not perform any updates +.TP +.B \-l, \-\-list +List all database entries +.br +.SH COPYRIGHT +Copyright \(co 2007 by Walter de Jong +.br +This program is part of the PAM-shield package. +PAM-shield comes with ABSOLUTELY NO WARRANTY. This is free software, and you +are welcome to redistribute it under certain conditions. See the GNU +General Public Licence for details. --- pam-shield-0.9.2.orig/debian/docs +++ pam-shield-0.9.2/debian/docs @@ -0,0 +1,2 @@ +README +INSTALL --- pam-shield-0.9.2.orig/debian/postinst +++ pam-shield-0.9.2/debian/postinst @@ -0,0 +1,28 @@ +#!/bin/sh +# postinst script for shield-pam + +set -e +case "$1" in + configure) + if [ ! -d /var/lib/pam_shield ]; then + mkdir /var/lib/pam_shield + fi + touch /var/lib/pam_shield/db + ;; + + abort-upgrade|abort-remove|abort-deconfigure) + if [ -d /var/lib/pam_shield ]; then + rm -fr /var/lib/pam_shield + fi + ;; + + *) + echo "postinst called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +#DEBHELPER# + +exit 0 + --- pam-shield-0.9.2.orig/debian/README.Debian +++ pam-shield-0.9.2/debian/README.Debian @@ -0,0 +1,27 @@ +pam-shield for Debian +--------------------- + +This package contains automake converting patch +by Jan Engelhardt + +Configuring pam_shield +---------------------- + +1) Edit the config file /etc/security/shield.conf +and create an 'allow' line for trusted hosts. + +2) Edit /etc/pam.d/common-auth file and add + + @include libpam-shield + +Do not leave it alone as it does not do any authentication itself. + +3) Simulate attack on Your host and check out + + ip route show +or + iptables -L + +depending on Your trigger script defined in shield.conf + + -- Mateusz Kaduk Mon, 03 Dec 2007 21:31:45 +0100 --- pam-shield-0.9.2.orig/debian/copyright +++ pam-shield-0.9.2/debian/copyright @@ -0,0 +1,34 @@ +This package was debianized by Mateusz Kaduk on +Sun, 02 Dec 2007 16:42:55 +0100. + +It was downloaded from + +Upstream Author: + + Walter de Jong + +Copyright: + + + +License: + + This package is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This package is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this package; if not, write to the Free Software + Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + +On Debian systems, the complete text of the GNU General +Public License can be found in `/usr/share/common-licenses/GPL'. + +The Debian packaging is (C) 2007, Mateusz Kaduk and +is licensed under the GPL, see above. --- pam-shield-0.9.2.orig/debian/README.source +++ pam-shield-0.9.2/debian/README.source @@ -0,0 +1,57 @@ +This package uses quilt to manage all modifications to the upstream +source. Changes are stored in the source package as diffs in +debian/patches and applied during the build. + +To configure quilt to use debian/patches instead of patches, you want +either to export QUILT_PATCHES=debian/patches in your environment +or use this snippet in your ~/.quiltrc: + + for where in ./ ../ ../../ ../../../ ../../../../ ../../../../../; do + if [ -e ${where}debian/rules -a -d ${where}debian/patches ]; then + export QUILT_PATCHES=debian/patches + fi + done + +To get the fully patched source after unpacking the source package, cd to +the root level of the source package and run: + + quilt push -a + +The last patch listed in debian/patches/series will become the current +patch. + +To add a new set of changes, first run quilt push -a, and then run: + + quilt new + +where is a descriptive name for the patch, used as the filename in +debian/patches. Then, for every file that will be modified by this patch, +run: + + quilt add + +before editing those files. You must tell quilt with quilt add what files +will be part of the patch before making changes or quilt will not work +properly. After editing the files, run: + + quilt refresh + +to save the results as a patch. + +Alternately, if you already have an external patch and you just want to +add it to the build system, run quilt push -a and then: + + quilt import -P /path/to/patch + quilt push -a + +(add -p 0 to quilt import if needed). as above is the filename to +use in debian/patches. The last quilt push -a will apply the patch to +make sure it works properly. + +To remove an existing patch from the list of patches that will be applied, +run: + + quilt delete + +You may need to run quilt pop -a to unapply patches first before running +this command. --- pam-shield-0.9.2.orig/debian/shield-trigger-iptables.8 +++ pam-shield-0.9.2/debian/shield-trigger-iptables.8 @@ -0,0 +1,15 @@ +.TH SHIELD-TRIGGER-IPTABLES 8 " DEC 3 2007" "PAM-SHIELD 0.2.9" "pam-shield" +.SH NAME +\fBshield-trigger-iptables\fR \- Trigger iptables blocking rule +.SH SYNOPSIS +This file is not intended to be invoked manualy. +.SH DESCRIPTION +It is a halper script for locking out remote hosts with iptables rule. +.br +.SH COPYRIGHT +Copyright \(co 2007 by Walter de Jong +.br +This script is part of the PAM-shield package. +PAM-shield comes with ABSOLUTELY NO WARRANTY. This is free software, and you +are welcome to redistribute it under certain conditions. See the GNU +General Public Licence for details. --- pam-shield-0.9.2.orig/debian/changelog +++ pam-shield-0.9.2/debian/changelog @@ -0,0 +1,43 @@ +pam-shield (0.9.2-3.2) unstable; urgency=low + + * Non-maintainer upload. + * Update build-deps and patch to use automake-1.11. (Closes: #543024). + * Install INSTALL file. (Closes: #517050). + * Add install-sh to clean target in rules. + * Remove paths from commands in maintainer scripts. + * Add README.source for quilt patch system. + * Add Homepage field. + * Bump Standards Version to 3.8.3. (No changes needed). + + -- Barry deFreese Fri, 09 Oct 2009 09:04:02 -0400 + +pam-shield (0.9.2-3.1) unstable; urgency=low + + * Non-maintainer upload. + * Check for executable in cron file (Closes: #461574) + + -- Filippo Giunchedi Thu, 01 May 2008 17:53:43 +0200 + +pam-shield (0.9.2-3) unstable; urgency=low + + * Checked against new debian-policy and changed to 3.7.3 + * Fixed differnce between documentation and installed files + (Closes: #456759) + * Fixed suboptimal description wording (Closes: #456814) + * Fixed typo in the short description (Closes: #457043) + + -- Mateusz Kaduk Wed, 19 Dec 2007 16:28:24 +0100 + +pam-shield (0.9.2-2) unstable; urgency=low + + * Added checking rhost for null pointer, + as it caused segmentation fault. + + -- Mateusz Kaduk Wed, 05 Dec 2007 21:05:32 +0100 + +pam-shield (0.9.2-1) unstable; urgency=low + + * Initial release + + -- Mateusz Kaduk Sun, 02 Dec 2007 16:42:55 +0100 + --- pam-shield-0.9.2.orig/debian/compat +++ pam-shield-0.9.2/debian/compat @@ -0,0 +1 @@ +5 --- pam-shield-0.9.2.orig/debian/libpam-shield.pam +++ pam-shield-0.9.2/debian/libpam-shield.pam @@ -0,0 +1,2 @@ +auth optional pam_shield.so + --- pam-shield-0.9.2.orig/debian/postrm +++ pam-shield-0.9.2/debian/postrm @@ -0,0 +1,22 @@ +#!/bin/sh +# postrm script for pam-shield +# + +set -e +case "$1" in + purge|remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear) + if [ -d /var/lib/pam_shield ]; + then + rm -fr /var/lib/pam_shield + fi + ;; + + *) + echo "postrm called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +#DEBHELPER# + +exit 0 --- pam-shield-0.9.2.orig/debian/watch +++ pam-shield-0.9.2/debian/watch @@ -0,0 +1,8 @@ +# See uscan(1) for format + +# Compulsory line, this is a version 3 file +version=3 + +# +#http://www.example.com/downloads.php pam-shield-(.*)\.tar\.gz +http://www.ka.sara.nl/home/walter/pam_shield/pam_shield-(.*)\.tar\.gz --- pam-shield-0.9.2.orig/debian/rules +++ pam-shield-0.9.2/debian/rules @@ -0,0 +1,95 @@ +#!/usr/bin/make -f +# -*- makefile -*- +# This file was originally written by Joey Hess and Craig Small. +# As a special exception, when this file is copied by dh-make into a +# dh-make output file, you may use that output file without restriction. +# This special exception was added by Craig Small in version 0.37 of dh-make. + +# Uncomment this to turn on verbose mode. +#export DH_VERBOSE=1 + +# These are used for cross-compiling and for saving the configure script +# from having to guess our platform (since we know it already) +DEB_HOST_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE) +DEB_BUILD_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE) + +# shared library versions, option 1 +version=0.9.2 +major=0 +# option 2, assuming the library is created as src/.libs/libfoo.so.2.0.5 or so +#version=`ls src/.libs/lib*.so.* | \ +# awk '{if (match($$0,/[0-9]+\.[0-9]+\.[0-9]+$$/)) print substr($$0,RSTART)}'` +#major=`ls src/.libs/lib*.so.* | \ +# awk '{if (match($$0,/\.so\.[0-9]+$$/)) print substr($$0,RSTART+4)}'` + +include /usr/share/quilt/quilt.make + +config.status: $(QUILT_STAMPFN) + dh_clean Makefile + sh ./autogen.sh + dh_testdir + # Add here commands to configure the package. +ifneq "$(wildcard /usr/share/misc/config.sub)" "" + cp -f /usr/share/misc/config.sub config.sub +endif +ifneq "$(wildcard /usr/share/misc/config.guess)" "" + cp -f /usr/share/misc/config.guess config.guess +endif + sh ./configure --host=$(DEB_HOST_GNU_TYPE) --build=$(DEB_BUILD_GNU_TYPE) --prefix=/usr --mandir=\$${prefix}/share/man --infodir=\$${prefix}/share/info CFLAGS="$(CFLAGS)" LDFLAGS="-Wl,-z,defs" --with-slibdir=/lib/ --sysconfdir=/etc/ + +build: build-stamp +build-stamp: config.status + dh_testdir + # Add here commands to compile the package. + $(MAKE) + touch $@ + +_clean: + dh_testdir + dh_testroot + # Add here commands to clean up after the build process. + - $(MAKE) distclean + dh_clean build-stamp + +clean: _clean unpatch + rm -fr aclocal.m4 build-stamp config* missing \ + Makefile* stamp* .depend .deps/ .pc/ ltmain.sh libtool depcomp install-sh + - rm -fr $(CURDIR)/debian/libpam-shield + +install: build + dh_testdir + dh_testroot + dh_clean -k + dh_installdirs + + # Add here commands to install the package into debian/tmp + $(MAKE) DESTDIR=$(CURDIR)/debian/libpam-shield install + rm -f $(CURDIR)/debian/libpam-shield/lib/security/pam_shield.la + cp -f $(CURDIR)/shield-trigger.sh $(CURDIR)/debian/libpam-shield/usr/sbin/shield-trigger + cp -f $(CURDIR)/shield-trigger-iptables.sh $(CURDIR)/debian/libpam-shield/usr/sbin/shield-trigger-iptables + cp -f $(CURDIR)/pam_shield.cron $(CURDIR)/debian/libpam-shield/etc/cron.daily + +# Build architecture-independent files here. +binary-indep: build install +# We have nothing to do by default. + +# Build architecture-dependent files here. +binary-arch: build install + dh_testdir + dh_testroot + dh_installchangelogs + dh_installdocs + dh_installman + dh_installpam + dh_link + dh_strip + dh_compress + dh_fixperms + dh_installdeb + dh_shlibdeps + dh_gencontrol + dh_md5sums + dh_builddeb + +binary: binary-indep binary-arch +.PHONY: build clean binary-indep binary-arch binary install --- pam-shield-0.9.2.orig/debian/libpam-shield.dirs +++ pam-shield-0.9.2/debian/libpam-shield.dirs @@ -0,0 +1,5 @@ +etc/cron.daily +etc/security +lib/security +usr/sbin +var/lib/pam_shield --- pam-shield-0.9.2.orig/debian/control +++ pam-shield-0.9.2/debian/control @@ -0,0 +1,17 @@ +Source: pam-shield +Section: admin +Priority: optional +Maintainer: Mateusz Kaduk +Build-Depends: debhelper (>= 5), libgdbm-dev, libpam0g-dev, quilt, autoconf, automake (>= 1.11), libtool +Standards-Version: 3.8.3 +Homepage: http://www.ka.sara.nl/home/walter/pam_shield/ + +Package: libpam-shield +Architecture: any +Depends: ${shlibs:Depends} +Suggests: iproute, iptables +Description: locks out remote attackers trying password guessing + In certain situations it is not possible to use host based + authentication and here pam-shield comes in use. + . + It locks out brute-force password crackers using null-route or iptables rules. --- pam-shield-0.9.2.orig/debian/shield-trigger.8 +++ pam-shield-0.9.2/debian/shield-trigger.8 @@ -0,0 +1,15 @@ +.TH SHIELD-TRIGGER 8 " DEC 3 2007" "PAM-SHIELD 0.2.9" "pam-shield" +.SH NAME +\fBshield-trigger\fR \- Trigger ip route blocking rule +.SH SYNOPSIS +This file is not intended to be invoked manualy. +.SH DESCRIPTION +It is a halper script for locking out remote hosts by null route. +.br +.SH COPYRIGHT +Copyright \(co 2007 by Walter de Jong +.br +This script is part of the PAM-shield package. +PAM-shield comes with ABSOLUTELY NO WARRANTY. This is free software, and you +are welcome to redistribute it under certain conditions. See the GNU +General Public Licence for details. --- pam-shield-0.9.2.orig/debian/libpam-shield.manpages +++ pam-shield-0.9.2/debian/libpam-shield.manpages @@ -0,0 +1,3 @@ +debian/shield-purge.8 +debian/shield-trigger.8 +debian/shield-trigger-iptables.8 --- pam-shield-0.9.2.orig/debian/patches/series +++ pam-shield-0.9.2/debian/patches/series @@ -0,0 +1,4 @@ +automake.patch +pam_shield.patch +shield-trigger-iptables.patch +cron_fix.patch --- pam-shield-0.9.2.orig/debian/patches/pam_shield.patch +++ pam-shield-0.9.2/debian/patches/pam_shield.patch @@ -0,0 +1,21 @@ +Index: pam-shield-0.9.2/pam_shield.c +=================================================================== +--- pam-shield-0.9.2.orig/pam_shield.c 2007-12-05 21:00:22.000000000 +0100 ++++ pam-shield-0.9.2/pam_shield.c 2007-12-05 21:00:54.000000000 +0100 +@@ -164,6 +164,7 @@ + /* + if rhost is completely numeric, then it has no DNS entry + */ ++ if(rhost != NULL) { + if (strspn(rhost, "0123456789.") == strlen(rhost) + || strspn(rhost, "0123456789:abcdefABCDEF") == strlen(rhost)) { + if (options & OPT_MISSING_DNS) +@@ -182,7 +183,7 @@ + return PAM_IGNORE; + } + } +- ++ } + /* if not blocking all and the user is known, let go */ + if (!(options & OPT_BLOCK_ALL) && user != NULL && (pwd = getpwnam(user)) != NULL) { + logmsg(LOG_DEBUG, "ignoring known user %s", user); --- pam-shield-0.9.2.orig/debian/patches/shield-trigger-iptables.patch +++ pam-shield-0.9.2/debian/patches/shield-trigger-iptables.patch @@ -0,0 +1,13 @@ +Index: pam-shield-0.9.2/shield-trigger-iptables.sh +=================================================================== +--- pam-shield-0.9.2.orig/shield-trigger-iptables.sh 2007-12-05 21:15:23.000000000 +0100 ++++ pam-shield-0.9.2/shield-trigger-iptables.sh 2007-12-08 21:16:36.000000000 +0100 +@@ -43,7 +43,7 @@ + # * put in the correct port number (22 is ssh) + # * add additional rules for additional services as needed + # +- "$IPT" "$1" INPUT -i eth0 -p tcp -s "$2" --destination-port 22 -j pam_shield ++ "$IPT" "$1" INPUT -p tcp -s "$2" --destination-port 22 -j pam_shield + + # mail -s "[security] pam_shield blocked $2" root < + +--- + Makefile.am | 21 +++++++++++++++++++++ + autogen.sh | 3 +++ + configure.ac | 38 ++++++++++++++++++++++++++++++++++++++ + 3 files changed, 62 insertions(+) + +Index: pam-shield-0.9.2/Makefile.am +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ pam-shield-0.9.2/Makefile.am 2009-10-09 09:08:30.000000000 -0400 +@@ -0,0 +1,21 @@ ++ ++AUTOMAKE_OPTIONS = foreign subdir-objects ++moduledir = @PAM_MODDIR@ ++module_LTLIBRARIES = pam_shield.la ++sbin_PROGRAMS = shield-purge ++#sbin_SCRIPTS = shield-trigger.sh shield-trigger-iptables.sh ++securitydir = ${sysconfdir}/security ++security_DATA = shield.conf ++ ++pam_shield_la_LDFLAGS = -module -avoid-version ++pam_shield_la_LIBADD = -lgdbm -lpam ++shield_purge_LDFLAGS = -lgdbm ++ ++AM_CFLAGS = -D_LARGEFILE_SOURCE=1 -D_LARGE_FILES -D_FILE_OFFSET_BITS=64 \ ++ -D_REENTRANT -Wall -Wmissing-declarations -Wmissing-prototypes \ ++ -Wredundant-decls -Wshadow -Wstrict-prototypes -Winline -pipe ++ ++install-exec-hook: ++ rm -f "${DESTDIR}${moduledir}/pam_shield.la"; ++ ${INSTALL} -dm0755 "${DESTDIR}${sbindir}"; ++# ln -s shield-trigger.sh "${DESTDIR}${sbindir}/pam_shield-trigger"; +Index: pam-shield-0.9.2/autogen.sh +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ pam-shield-0.9.2/autogen.sh 2009-10-09 09:09:16.000000000 -0400 +@@ -0,0 +1,6 @@ ++#!/bin/sh ++ ++export AUTOMAKE=/usr/bin/automake-1.11 ++export ACLOCAL=/usr/bin/aclocal-1.11 ++ ++exec autoreconf -fi; +Index: pam-shield-0.9.2/configure.ac +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ pam-shield-0.9.2/configure.ac 2009-10-09 09:08:30.000000000 -0400 +@@ -0,0 +1,38 @@ ++ ++AC_INIT(pam_shield, 0.9.2) ++AC_CONFIG_HEADERS(config.h) ++AM_INIT_AUTOMAKE ++ ++AC_PROG_CC ++AC_PROG_INSTALL ++AC_DISABLE_STATIC ++AM_PROG_LIBTOOL ++AC_PROG_LN_S ++ ++AC_ARG_WITH([slibdir], AS_HELP_STRING([--with-slibdir=PATH], ++ [Path to the super lib directory [[/lib]]]), ++ [slibdir="$withval"], [slibdir="/lib"]) ++AC_SUBST(slibdir) ++ ++AC_CHECK_HEADER(gdbm.h, [], ++ [AC_MSG_ERROR([You need to have gdbm-devel installed])]) ++AC_CHECK_HEADER(security/pam_modules.h,[have_pamheader="yes"],) ++# Mac OS X 10.3 puts PAM headers in /usr/include/pam. ++AC_CHECK_HEADER(pam/pam_modules.h,[have_pamheader="yes"],) ++if test x"$have_pamheader" != x"yes"; then ++ AC_MSG_ERROR(You are missing PAM headers) ++fi ++ ++case "$host" in ++(*-*-linux*) ++ PAM_MODDIR="\$(slibdir)/security"; ++ ;; ++(*-*-darwin*) ++ PAM_MODDIR="/usr/lib/pam"; ++ ;; ++(*) ++ PAM_MODDIR="/usr/lib"; ++ ;; ++esac; ++AC_SUBST(PAM_MODDIR) ++AC_OUTPUT(Makefile) --- pam-shield-0.9.2.orig/debian/patches/cron_fix.patch +++ pam-shield-0.9.2/debian/patches/cron_fix.patch @@ -0,0 +1,8 @@ +--- a/pam_shield.cron 2008-05-01 17:52:01.000000000 +0200 ++++ b/pam_shield.cron 2008-05-01 17:52:21.000000000 +0200 +@@ -1,4 +1,4 @@ + #! /bin/sh + +-/usr/sbin/shield-purge -c /etc/security/shield.conf ++[ -x /usr/sbin/shield-purge ] && /usr/sbin/shield-purge -c /etc/security/shield.conf +