[CALUG] update to tb-sshdfilter

Eric V. Smith eric at trueblade.com
Tue Oct 18 06:00:28 CDT 2005


By running:

/sbin/iptables --table filter --append INPUT  --jump SSHD

you're telling netfilter to process all traffic through the rule.  If 
you want to only block some traffic, you need to modify this rule to 
only match that traffic.  Off the top of my head, something like:

/sbin/iptables --table filter --append INPUT  --protocol tcp --dport 
5022 --jump SSHD

for what you're testing (watch for line break).

For me, it's a feature to block all traffic from an offending host, but 
your needs might vary, especially when testing.

Eric.


Eldon Ziegler wrote:
> Thanks for the help. Something must have stripped the attachment.
> 
> I have it running on one of my servers along with a nightly logwatch so 
> the effect should be seen. I seem to get the most intrusions on weekends.
> 
> One surprise... I opened port 5022 in the firewall and specified -p5022 
> when I ran tb-sshdfilter expecting it to block only 5022 while leaving 
> port 22 alone so I could still login. In fact, all ssh input was blocked 
> after I tried an invalid user name login. Fortunately, I had dialed up 
> an ISP to get around a problem with a flaky ISDN line so all I had to do 
> was re-dial to get a new IP address and login again. Did I miss 
> something on how to test tb-sshdfilter safely?
> 
> Eldon
> 
> At 07:47 am 10/17/2005, Eric V. Smith wrote:
> 
>> I didn't get an attachment, but that's okay.
>>
>> You first need to create the SSHD chain:
>>
>> /sbin/iptables --table filter --new-chain SSHD
>>
>> And then you need to call it somewhere in the INPUT processing.   
>> You've got some flexibility here.  I add this line very early in the 
>> INPUT chain, so that all imbound traffic gets processed:
>>
>> /sbin/iptables --table filter --append INPUT  --jump SSHD
>>
>> That's it.
>>
>> I don't use /etc/sysconfig/iptables, I have my own mechanism for 
>> populating the rules.  But from what I recall, it's the output of 
>> iptables-save.  I've never underestood why this file isn't just a list 
>> of normal iptables rules.  You'll need to figure out how to get these 
>> new rules into that file in the right format.
>>
>> Eric.
>>
>>
>> Eldon Ziegler wrote:
>>
>>> Eric,
>>> Could you expand on what needs to be preset into iptables? I've 
>>> attached the file on my server from /etc/sysconfig/iptables.
>>> Hope this isn't asking too much.
>>> Thanks
>>> Eldon Ziegler
>>> At 03:04 pm 10/14/2005, you wrote:
>>>
>>>> Someone at the meeting discovered that tb-sshdfilter doesn't print a
>>>> good error message if the sshd or iptables commands aren't configured
>>>> correctly.  I've corrected this and posted version 1.1 on the True 
>>>> Blade
>>>> web site.
>>>>
>>>> http://trueblade.com/tb-sshdfilter.html
>>>>
>>>> Eric.
>>>> _______________________________________________
>>>> Columbia, Maryland Linux User's Group (CALUG) mailing list
>>>> CALUG Website: http://www.calug.com
>>>> Email postings to: lug at calug.com
>>>> Change your list subscription options: 
>>>> http://calug.com/mailman/listinfo/lug
>>
>>
> 
> 



More information about the lug mailing list