PAM is a powerful framework, and it can be difficult to foresee everything that can go wrong. If PAM is wrongly configured, your environment can easily be compromised by crackers and even script kiddies.
The pam_deny module must be regarded as an essential component in modern PAM configuration. The module can be included as the last module in any stack for every service as a failsafe solution. If no other module has either denied or granted access to the service, it might be nice to know that access is always blocked at the last stage.
Moreover, it is important to keep an eye on the OTHER service. The reason is that if a service is not configured explicitly then PAM falls back to the OTHER service. In other words, the OTHER service can easily become your weakest link—in particular when you do not think about it. A simple version of the OTHER service could involve the pam_deny module, which will stop unauthorized access:
auth required pam_deny.so
The system administrator...