Re: pam_shield is blocking allowed networks

To: debian-user@lists.debian.org
Subject: Re: pam_shield is blocking allowed networks
From: Mart van de Wege <mvdwege@gmail.com>
Date: Thu, 09 Jul 2015 14:58:55 +0200
Message-id: <[🔎] 86615tqygg.fsf@gaheris.avalon.lan>
References: <[🔎] 86a8v8qme6.fsf@gaheris.avalon.lan> <[🔎] 1436360802.1396275.318290161.687569B2@webmail.messagingengine.com>

Louis Wust <louiswust@fastmail.fm> writes:

> On Tue, Jul 7, 2015, at 06:42, Mart van de Wege wrote:
>> I have set up pam_shield to allow my IP; when I test it by generating
>> 5 bad logins (threshold is 5 per 10m), I see pam_shield print
>> 'allowing from <my ip>/255.255.255.255' in the logs; and yet after 5
>> login attempts it blocks my ip.
>
> This is due to a bug in the code which matches IP addresses. I
> investigated the cause and will file a bug report.
>
Ah nice.

> In the meantime, try using a hostname instead of an IP address. If the
> system you want to allow does not have a hostname, make one up and add
> it to /etc/hosts.
>
Thankfully at least two machines that *need* to be whitelisted do have a
stable rDNS mapping and can be added by name.

Unfortunately, for the rest I need a network match, so setting up
/etc/hosts for that is a bit impractical.

On the gripping hand, as long as I can reach the server from at least
one machine, I can always manually unblock.

Thanks for looking at it.

Mart
-- 
"We will need a longer wall when the revolution comes."
    --- AJS, quoting an uncertain source.

Reply to:

References:
- pam_shield is blocking allowed networks
  - From: Mart van de Wege <mvdwege@gmail.com>
- Re: pam_shield is blocking allowed networks
  - From: Louis Wust <louiswust@fastmail.fm>

Prev by Date: xdg-open pain, how to use run-mailcap
Next by Date: Re: xdg-open pain, how to use run-mailcap
Previous by thread: Re: pam_shield is blocking allowed networks
Next by thread: Kernel message: `base address not set' at boot
Index(es):
- Date
- Thread