TL;DR: Secure PAM with pam_pwquality (strong passwords), pam_faillock (brute-force protection), U2F/YubiKey MFA where it makes sense, and — most importantly — put everything in code with Ansible + Molecule. Validate in CI/CD and sleep better at night.

Why does PAM still matter?

PAM is Linux's authentication layer. A wrong order in the stack can break SSH/sudo or allow weak passwords. With a few well-placed pieces and automation, you gain security, predictability, and the ability to audit every change.

What you will implement

1. Password complexity with pam_pwquality using /etc/security/pwquality.conf.

2. Account lockout on failed attempts with pam_faillock and /etc/security/faillock.conf.

3. MFA with YubiKey (U2F/FIDO2) via pam_u2f (recommended for sudo).

4. Traceability with auditd monitoring PAM/SSH/sudo.

🔐 Principles: least privilege, declarative configuration, test before prod, and documented break-glass procedure.

Multi-distro matrix (avoid manual editing)

• RHEL/derivatives (Rocky/Alma): do not edit system-auth/password-auth directly. Use authselect to enable with-faillock and with-pwquality and apply changes.

• Debian/Ubuntu: do not edit common-* directly. Use pam-auth-update with profiles in /usr/share/pam-configs/ (enable/disable via the tool).

Flow diagram (Mermaid)

Step by step (fast and safe)

1) Base configuration: pwquality and faillock

Sensible values (both families):

# /etc/security/pwquality.conf
minlen = 12
minclass = 3
ucredit = -1
lcredit = -1
dcredit = -1
ocredit = -1
maxrepeat = 2

# /etc/security/faillock.conf
deny = 5
unlock_time = 600
fail_interval = 900
# Note: the tally directory is usually /run/faillock on most systems

RHEL/Rocky/Alma

sudo dnf install -y libpwquality pam_u2f audit
# Select base profile (adjust to your environment: sssd/winbind/local)
sudo authselect select sssd --force
# Enable features
sudo authselect enable-feature with-pwquality
sudo authselect enable-feature with-faillock
sudo authselect apply-changes
# Deploy policy files
sudo cp pwquality.conf /etc/security/pwquality.conf
sudo cp faillock.conf  /etc/security/faillock.conf
# Verify
authselect check

Debian/Ubuntu

sudo apt update
sudo apt install -y libpam-pwquality libpam-modules auditd
# Profile for pam-auth-update (faillock)
cat <<'EOF' | sudo tee /usr/share/pam-configs/faillock
Name: Faillock (lock after failed logins)
Default: yes
Priority: 900
Auth-Type: Primary
Auth:
    requisite pam_faillock.so preauth
    [default=die] pam_faillock.so authfail
    sufficient pam_faillock.so authsucc
Account-Type: Primary
Account:
    required pam_faillock.so
EOF
sudo pam-auth-update --enable faillock
# Deploy policy files
sudo cp pwquality.conf /etc/security/pwquality.conf
sudo cp faillock.conf  /etc/security/faillock.conf

✅ Quick validation:

• Use pwscore or try setting a weak password to see it rejected.

• Make 5 failed attempts and check faillock --user <username>.

2) MFA with YubiKey (U2F/FIDO2) for sudo (optional but recommended)

Installation

• RHEL/Rocky/Alma: sudo dnf install -y pam_u2f (may require EPEL).

• Debian/Ubuntu: sudo apt install -y libpam-u2f.

Key enrollment (centralised mapping)

# Enroll YubiKey for the user (repeat with backup key)
mkdir -p ~/.config/Yubico
pamu2fcfg -u "$(whoami)" > ~/.config/Yubico/u2f_keys
# Central mapping for PAM
sudo cp ~/.config/Yubico/u2f_keys /etc/u2f_mappings
sudo chmod 600 /etc/u2f_mappings

Protect sudo with MFA + break-glass

# /etc/pam.d/sudo (add near the top)
# Allow emergency group to bypass MFA (break-glass)
auth  [success=1 default=ignore] pam_succeed_if.so user ingroup admins-nomfa
# Require U2F MFA for everyone else
auth  required pam_u2f.so authfile=/etc/u2f_mappings cue=1

🔁 Enroll 2 keys per user and document your emergency procedure (console/iLO/Out-of-Band + break-glass user with rotation and audit trail).

3) Auditing with auditd

# /etc/audit/rules.d/99-hardening.rules
-w /etc/pam.d/          -p wa -k pam_changes
-w /etc/security/       -p wa -k pam_changes
-w /etc/ssh/sshd_config -p wa -k ssh_config
-w /etc/sudoers         -p wa -k sudo_config
-w /etc/sudoers.d/      -p wa -k sudo_config

sudo augenrules --load
sudo systemctl restart auditd
# Queries
sudo ausearch -k pam_changes --start recent
sudo aureport  -k --summary

Put it in code: Ansible + Molecule

Role structure

roles/pam_hardening/
├─ defaults/main.yml
├─ tasks/main.yml
├─ templates/pwquality.conf.j2
├─ templates/faillock.conf.j2
├─ files/pam-configs/faillock   # for Debian/Ubuntu
└─ molecule/default/
   ├─ molecule.yml
   ├─ converge.yml
   └─ tests/test_pam.py

defaults/main.yml

pwquality:
  minlen: 12
  minclass: 3
  ucredit: -1
  lcredit: -1
  dcredit: -1
  ocredit: -1
  maxrepeat: 2
faillock:
  deny: 5
  unlock_time: 600
  fail_interval: 900

tasks/main.yml (summary)

- name: Install base packages
  package:
    name: "{{ item }}"
    state: present
  loop: >-
    {{ (ansible_facts.os_family == 'RedHat') | ternary(
         ['libpwquality', 'pam', 'audit'],
         ['libpam-pwquality', 'libpam-modules', 'auditd']
       ) }}

- name: RHEL | Enable authselect features
  command: >-
    authselect enable-feature {{ item }}
  loop:
    - with-pwquality
    - with-faillock
  when: ansible_facts.os_family == 'RedHat'
  notify: Apply authselect

- name: RHEL | Select sssd profile if not set
  command: authselect select sssd --force
  when: ansible_facts.os_family == 'RedHat'

- name: Debian | Deploy faillock profile for pam-auth-update
  copy:
    src: files/pam-configs/faillock
    dest: /usr/share/pam-configs/faillock
    owner: root
    group: root
    mode: '0644'
  when: ansible_facts.os_family == 'Debian'

- name: Debian | Enable faillock
  command: pam-auth-update --enable faillock
  changed_when: "'No changes' not in result.stdout"
  register: result
  when: ansible_facts.os_family == 'Debian'

- name: Template pwquality.conf
  template:
    src: pwquality.conf.j2
    dest: /etc/security/pwquality.conf
    owner: root
    group: root
    mode: '0644'

- name: Template faillock.conf
  template:
    src: faillock.conf.j2
    dest: /etc/security/faillock.conf
    owner: root
    group: root
    mode: '0644'

handlers/main.yml

- name: Apply authselect
  command: authselect apply-changes
  when: ansible_facts.os_family == 'RedHat'

molecule/default/molecule.yml

platforms:
  - name: rocky9
    image: rockylinux:9
    privileged: true
  - name: ubuntu-24
    image: ubuntu:24.04
provisioner:
  name: ansible
verifier:
  name: testinfra

molecule/default/tests/test_pam.py (excerpt)

def test_pwquality_file(host):
    f = host.file('/etc/security/pwquality.conf')
    assert f.exists
    assert f.contains('minlen = 12')

def test_pam_chain(host):
    distro = host.system_info.distribution.lower()
    if 'rocky' in distro or 'alma' in distro or 'redhat' in distro:
        pam = host.file('/etc/pam.d/password-auth')
        assert pam.contains('pam_pwquality.so')
    else:
        pam = host.file('/etc/pam.d/common-password')
        assert pam.contains('pam_pwquality.so')

CI/CD (quick idea):

• ansible-lint + yamllint.

• molecule test on Rocky 9 and Ubuntu 24.04.

• Publish artefacts (guide PDF and changelog).

Production checklist

• [ ] UsePAM yes in sshd_config if you need PAM in SSH.

• [ ] pam_pwquality with policy aligned to business requirements.

• [ ] pam_faillock with sensible deny/unlock_time/fail_interval; decide whether tally persists across reboots.

• [ ] U2F/YubiKey MFA on sudo, with second key and break-glass group.

• [ ] auditd monitoring PAM/SSH/sudo with periodic reports.

• [ ] Ansible role with green Molecule in CI.

Common mistakes (and how to avoid them)

• Directly editing system-auth/password-auth (RHEL) or common-* (Debian): use authselect/pam-auth-update.

• Locking out service accounts: exclude them or apply rules per TTY/service.

• No recovery plan: document OOB/console access and rotated emergency users.

• Changes outside version control: everything in Git, with PRs and review.

Appendix: reference values

• deny = 5, unlock_time = 600, fail_interval = 900 typically balance security and usability.

• minlen = 12, minclass = 3 with negative credits to enforce character variety.

• On workstations, consider pam_u2f for GDM as well; on servers, focus on sudo.

“Today I’m going to set up a simple website.
GitHub Pages + Cloudflare. How hard can it be?”

…and 20 minutes later you’re knee-deep in manually creating DNS records, toggling SSL settings, configuring redirects, debugging Rulesets, and wondering whether Cloudflare’s KV namespaces require a sacrifice to the gods before Terraform accepts them.

If you’ve ever tried to maintain Cloudflare manually — DNS, HTTPS rewrites, redirects, Caching rules, and Pages settings — you already know the pain.

And if you’ve tried automating all of this with Terraform…
well, then you probably met the beautiful chaos that is Cloudflare Provider v5.

This is the story of how something “simple” turned into two weeks of deep-dive debugging — and the free GitHub template I built so you don’t have to suffer through the same journey.

💥 The Pain Begins: Terraform Cloudflare Provider v5

Cloudflare Provider v5 didn’t just make a few tweaks.
It brought a tsunami of breaking changes.

❌ 1. Resources removed or replaced

Some Terraform resources disappeared entirely. Others were renamed or split into multiple new ones.

# v4: used everywhere
resource "cloudflare_page_rule" "redirect" { ... }

# v5: nope, now use rulesets
resource "cloudflare_ruleset" "redirect" { ... }

❌ 2. The Great Rulesets Migration

Rulesets are powerful.
Rulesets are flexible.
Rulesets are… not documented consistently.

Migrating from Page Rules to Rulesets requires new blocks, phases, expressions, actions, and sometimes zone-level instead of account-level.

❌ 3. Zone Settings Override limitations

Some settings are only allowed at account-level. Others only at zone-level. Terraform shows:

Error: cannot modify setting at zone level

…without telling you where you should modify it.

❌ 4. API Token scopes became a labyrinth

You now need extremely precise permissions.

Miss one scope — even a read-only one — and Terraform explodes.

❌ 5. Account-level vs Zone-level divergence

• DNS → zone-level
• Cache rules → zone-level
• Redirects → account-level
• Pages → account-level

If you configure something on the wrong side, Terraform fails.

🙋‍♂️ Why This Matters for Solo Engineers, Homelab Builders, and Small DevOps Teams

Most of us don’t want to architect a global CDN strategy.

We just want:

• a static site
• GitHub Pages
• Cloudflare
• DNS automated
• SSL working
• redirects configured
• caching optimized

Terraform v5 turned this simple workflow into:

“Let me spend three hours debugging a zone-level setting just to redirect www → apex.”

✅ Introducing My Free Template: Terraform + Cloudflare + GitHub Pages

A clean, minimal, reproducible template that:

• Works with provider v4 (or v5 with small edits)
• Creates GitHub Pages DNS
• Configures SSL
• Creates redirects
• Adds cache rules
• Documents API token scopes
• Requires zero Cloudflare dashboard clicks

🛠️ What the Template Solves

✔ DNS Records for GitHub Pages

✔ GitHub Pages CNAME Handling

✔ Redirect www → apex

✔ HTTPS rewrite & security settings

✔ Cache rules for static assets

✔ Clean API Token requirements

🧩 Example Terraform Code

DNS Record

resource "cloudflare_record" "github_pages" {
  zone_id = var.zone_id
  name    = "@"
  type    = "CNAME"
  value   = "${var.github_username}.github.io"
  proxied = true
}

Redirect

resource "cloudflare_ruleset" "redirect_www_to_apex" {
  name    = "www-to-apex"
  zone_id = var.zone_id
  kind    = "zone"
  phase   = "http_request_redirect"

  rules {
    expression = "(http.host eq \"www.${var.domain}\")"
    action     = "redirect"

    action_parameters {
      from_value {
        status_code = 301
        target_url  = "https://${var.domain}/"
      }
    }
  }
}

Cache Static

resource "cloudflare_ruleset" "cache_static" {
  name    = "cache-static"
  zone_id = var.zone_id
  kind    = "zone"
  phase   = "http_request_cache_settings"

  rules {
    expression = "(http.request.uri.path matches \".*\\.(css|js|png|jpg|svg|ico)\")"
    action     = "set_cache_settings"

    action_parameters {
      cache = true
      edge_ttl {
        mode         = "override_origin"
        default      = 2592000
      }
    }
  }
}

🔎 Architecture Diagram

flowchart LR
    A[Browser] --> B[Cloudflare Edge]
    B --> C[Rulesets: Redirect + Cache + HTTPS]
    C --> D[GitHub Pages Hosting]
    D --> B
    B --> A

🧠 Lessons Learned from Migrating to v5

• Always use a sandbox zone
• Documentation lags behind API and TF provider
• Be explicit with API token scopes
• Don’t mix account/zone configs blindly
• Cache & redirect rules are fragile

🚀 Final Thoughts

If you want to avoid the suffering and deploy Cloudflare + GitHub Pages cleanly:

👉 GitHub Repository: (https://github.com/malpanez/terraform-cloudflare-github-pages)
👉 Hashnode Blog: (https://blog.homelabforge.dev/surviving-cloudflare-terraform-provider-v5-pain-breaking-changes-and-a-free-template-for-github-pages)

Happy automating!

https://acloudguru.com/blog/engineering/cloudguruchallenge-improve-application-performance-using-amazon-elasticache?utm_source=linkedin&utm_medium=social&utm_campaign=cloudguruchallengee

For accomplish this issue I required:

• a valid AWS profile
• a valid KeyPair to be used in the EC2.
• Terraform

Steps Implement RDS,VPC,EC2,REDIS using Terraform:

See code here

Log by ssh Inside the public ec2:

ssh ec2-user@xxx.xxx.xxx.xxx -i key

Ensure that everything from the user-data.bash it's installed and start the configuration around the:

1. nginx (install and apply the configuration given for redirection when using /app to the port 5000
2. ensure that all the pre-requisites regarding python are in place (install python modules: psycopg2-binary, postgres, flask, parserconfig, redis)
3. configure the database.ini file:

Note: there's no problem in show full code as it's a Cloud Playground and will be deleted by when it's published.

[postgresql]
host=terraform-20210731120731938300000001.cyb7h7wacdzq.us-east-1.rds.amazonaws.com
database=postgres
user=postgres
password=postgres

[redis]
redis_url=redis://redis-cache.x2mygh.0001.use1.cache.amazonaws.com:6379

4. Modify the app.py given once you include the ElastiCache, here's the final code:

# /usr/bin/python2.7
import psycopg2
from configparser import ConfigParser
from flask import Flask, request, render_template, g, abort
import time
import redis

def config(filename='config/database.ini', section='postgresql'):
    # create a parser
    parser = ConfigParser()
    # read config file
    parser.read(filename)
  # get section, default to postgresql
    db = {}
    if parser.has_section(section):
        params = parser.items(section)
        for param in params:
            db[param[0]] = param[1]
    else:
        raise Exception('Section {0} not found in the {1} file'.format(section, filename))

    return db

def fetch(sql):
    # connect to database listed in database.ini
    ttl = 10 # Time to live in seconds
    try:
       params = config(filename='config/database.ini',section='redis')
       cache = redis.Redis.from_url(params['redis_url'])
       result = cache.get(sql)

       if result:
         return result
       else:
         # connect to database listed in database.ini
         conn = connect()
         cur = conn.cursor()
         cur.execute(sql)
         # fetch one row
         result = cur.fetchone()
         print('Closing connection to database...')
         cur.close()
         conn.close()

         # cache result
         cache.setex(sql, ttl, ''.join(result))
         return result

    except (Exception, psycopg2.DatabaseError) as error:
        print(error)

def connect():
    """ Connect to the PostgreSQL database server and return a cursor """
    conn = None
    try:
        # read connection parameters
        params = config()

        # connect to the PostgreSQL server
        print('Connecting to the PostgreSQL database...')
        conn = psycopg2.connect(**params)

    except (Exception, psycopg2.DatabaseError) as error:
        print("Error:", error)
        conn = None

    else:
        # return a conn
        return conn

app = Flask(__name__)

@app.before_request
def before_request():
   g.request_start_time = time.time()
   g.request_time = lambda: "%.5fs" % (time.time() - g.request_start_time)

@app.route("/")
def index():
    sql = 'SELECT slow_version();'
    db_result = fetch(sql)

    if(db_result):
        db_version = "".join([str(i) for i in db_result])
    else:
        abort(500)
    params = config()
    return render_template('index.html', db_version = db_version, db_host = params['host'])


if __name__ == "__main__":        # on running python app.py
    app.run()                     # run the flask app

Here's the first attempt using the slow code given to the postgresql:

Second time:

Third time:

This is using Redis Cache:

Example of using the Application with connection to DB and from Redis:

(venv) [ec2-user@ip-10-0-3-203 bin]$ python app.py 
 * Serving Flask app 'app' (lazy loading)
 * Environment: production
   WARNING: This is a development server. Do not use it in a production deployment.
   Use a production WSGI server instead.
 * Debug mode: off
 * Running on http://127.0.0.1:5000/ (Press CTRL+C to quit)
Connecting to the PostgreSQL database...
Closing connection to database...
127.0.0.1 - - [31/Jul/2021 14:56:26] "GET / HTTP/1.0" 200 -
Connecting to the PostgreSQL database...
Closing connection to database...
127.0.0.1 - - [31/Jul/2021 14:56:43] "GET / HTTP/1.0" 200 -
Connecting to the PostgreSQL database...
Closing connection to database...
127.0.0.1 - - [31/Jul/2021 14:56:58] "GET / HTTP/1.0" 200 -
127.0.0.1 - - [31/Jul/2021 14:57:01] "GET / HTTP/1.0" 200 -