shield.conf(5)
pam_shield configuration file
DESCRIPTION
/etc/security/shield.conf
is the configuration file for PAM module pam_shield, which locks out
remote attackers trying password guessing.
OPTIONS
-
debug
[on|off]
-
- Log (or do not log) debugging information via
syslog(3).
-
block
[all-users|unknown-users]
-
- Block all users, or only unknown users. Whether users are "known" is determined from
getpwnam(3)
-
allow_missing_dns
[yes|no]
-
- If no, reject any connection that comes from a numerical IP address with no DNS
name (as returned by
pam_get_item(3)
with
item_type
set to PAM_RHOST).
-
allow_missing_reverse
[yes|no]
-
- If no, reject any connection that comes from a host with no reverse DNS
entry.
-
allow
hostname
-
- Host or network to whitelist. These hosts are passed through with no checks or
logging. Multiple
allow
lines are permitted.
hostname
may be IP address, hostname, network/netmask, or network in CIDR
format.
-
db
filename
-
- Database file where login attempts are stored.
-
trigger_cmd
command
-
- Command to run to block/unblock a host. See
shield-trigger(8)
and
shield-trigger-iptables(8)
for two examples.
-
max_conns
n
-
- Host will be blocked if more than
n
connection attempts from one host in
interval
time.
-
interval
n
-
- Host blocked if more than
max_conns
attempts in
n
seconds. Instead of seconds, suffix may be used: s for seconds, m minutes,
h hours, d days, w weeks, M months (30 days), y years.
-
retention
n
-
- Record of connection attempts retained for
n
seconds. Suffixes may be used as in
interval.
Each host is checked for expiration when it attempts to connect, and the
entire database is checked whenever
shield-purge(8)
is run (by default, once a day).
FILES
-
/etc/security/shield.conf
- Configuration file for
pam-shield
