| Code | |
|---|---|
| Alaya DAV-aware webserver with a number of unusual features | |
| Hashrat 'Swiss army knife of hashing' recursive hashing program | |
| MetaFTPD FTP server with some unusual features | |
| Paranoid TelnetD Telnet server with some unusual features | |
| pam_usbkey.so linux PAM module that uses USB keys as authentication tokens | |
| pam_honeycreds.so linux PAM module that watches for certain passwords | |
| pam_ihosts.so linux PAM module that limits login by mac-address, ip-address, country-code or registrar | |
| daytime A small utility for setting time from the network, or serving it to a network | |
| gngeo-cjp My fork of the gngeo arcade emulator | |
|
|  |
pam_ihosts.so - A PAM that limits login based on IP address, MAC address, or country code
| Current Version: 1.5 | ||
|---|---|---|
| GitHub | Source Tarball | |
Summary
pam_ihosts.so is a linux Pluggable Authentications Module that only allows login from specified ip-addresses, mac-addresses, country-codes or regions.Licence
pam_ihosts.so is made available under the Gnu Public License version 3, and comes with no warranties or guarentees.Description
pam_ihosts.so is not an authentication module, it's a PAM account module. This means that the user must first authenticate by some other method, and pam_ihosts then decides whether the login can be completed, or whether it's denied on the basis of where the connection is coming from. This means that pam_ihosts is only invoked for logins where the user has already progressed beyond authentication. By default pam_ihosts.so denies login for the specified user, but will allow it if the ip-address, mac-address, country-code or internet-registrar for the remote host, matches the specified values. pam_ihosts.so does country-code/registrar lookup via the 'stats' files made available by the regional internet registrars, afrinic, apnic, arin, lacnic and ripencc. These files must be downloaded and supplied to pam_ihosts.so if using it's geolocation features. Apart from country-code/registrar pam_ihosts can also block/allow by ip-address and mac-address, and supports files listing ip-addresses as white/blacklists, or can use DNS blacklist or whitelists like zen.spamhaus.org.EXAMPLES
Allow root login only from 192.168.0.x
account required pam_ihosts.so user=root syslog allow-ip=192.168.0.*
For all users allow login only from two mac-addresses
account required pam_ihosts.so user=* allow-mac=ff:c0:a8:e4:99:31,ff:c0:a8:f9:cc:01
Allow root login only from one IP
account required pam_ihosts.so user=root allow-ip=218.99.102.99
For all users other than root, allow login only from ip-addresses in Great Britain.
account required pam_ihosts.so user=!root region-files=/etc/ip-lists/delegated-afrinic-latest,/etc/ip-lists/delegated-lacnic-latest,/etc/ip-lists/delegated-apnic-latest,/etc/ip-lists/delegated-ripencc-latest allow-region=ripencc:GB
For all users, allow login only from Asia Pacific IPs.
account required pam_ihosts.so user=* region-files=/etc/ip-lists/delegated-afrinic-latest,/etc/ip-lists/delegated-lacnic-latest,/etc/ip-lists/delegated-apnic-latest,/etc/ip-lists/delegated-ripencc-latest allow-region=apnic:*
Same as above, but perhaps more efficient, only look up regions in the apnic file.
account required pam_ihosts.so user=* region-files=/etc/ip-lists/delegated-apnic-latest allow-region=apnic:*
For all users, allow login only from Asia Pacific IPs. Use mmap shared memory for the afrinic and lacnic files.
account required pam_ihosts.so user=* region-files=mmap:/etc/ip-lists/delegated-afrinic-latest,mmap:/etc/ip-lists/delegated-lacnic-latest,/etc/ip-lists/delegated-apnic-latest,/etc/ip-lists/delegated-ripencc-latest allow-region=apnic:*