|Fiction | Code | Blocklists and Attack logs | Coding and Infosec | Reviews | Opinion | Contact me||c.j.paget.co.uk|
pam_ihosts.so - A PAM that limits login based on IP address, MAC address, or country code
Summarypam_ihosts.so is a linux Pluggable Authentications Module that only allows login from specified ip-addresses, mac-addresses, country-codes or regions.
Licencepam_ihosts.so is made available under the Gnu Public License version 3, and comes with no warranties or guarentees.
Descriptionpam_ihosts.so is not an authentication module, it's a PAM account module. This means that the user must first authenticate by some other method, and pam_ihosts then decides whether the login can be completed, or whether it's denied on the basis of where the connection is coming from. This means that pam_ihosts is only invoked for logins where the user has already progressed beyond authentication. By default pam_ihosts.so denies login for the specified user, but will allow it if the ip-address, mac-address, country-code or internet-registrar for the remote host, matches the specified values. pam_ihosts.so does country-code/registrar lookup via the 'stats' files made available by the regional internet registrars, afrinic, apnic, arin, lacnic and ripencc. These files must be downloaded and supplied to pam_ihosts.so if using it's geolocation features. Apart from country-code/registrar pam_ihosts can also block/allow by ip-address and mac-address, and supports files listing ip-addresses as white/blacklists, or can use DNS blacklist or whitelists like zen.spamhaus.org.
Allow root login only from 192.168.0.x
For all users allow login only from two mac-addresses
Allow root login only from one IP
For all users other than root, allow login only from ip-addresses in Great Britain.
For all users, allow login only from Asia Pacific IPs.
Same as above, but perhaps more efficient, only look up regions in the apnic file.
For all users, allow login only from Asia Pacific IPs. Use mmap shared memory for the afrinic and lacnic files.