[CALUG] update to tb-sshdfilter

Eldon Ziegler eldonz39yid at yahoo.com
Tue Oct 18 04:24:46 CDT 2005

Thanks for the help. Something must have stripped the attachment.

I have it running on one of my servers along with a nightly logwatch 
so the effect should be seen. I seem to get the most intrusions on weekends.

One surprise... I opened port 5022 in the firewall and specified 
-p5022 when I ran tb-sshdfilter expecting it to block only 5022 while 
leaving port 22 alone so I could still login. In fact, all ssh input 
was blocked after I tried an invalid user name login. Fortunately, I 
had dialed up an ISP to get around a problem with a flaky ISDN line 
so all I had to do was re-dial to get a new IP address and login 
again. Did I miss something on how to test tb-sshdfilter safely?


At 07:47 am 10/17/2005, Eric V. Smith wrote:
>I didn't get an attachment, but that's okay.
>You first need to create the SSHD chain:
>/sbin/iptables --table filter --new-chain SSHD
>And then you need to call it somewhere in the INPUT 
>processing.   You've got some flexibility here.  I add this line 
>very early in the INPUT chain, so that all imbound traffic gets processed:
>/sbin/iptables --table filter --append INPUT  --jump SSHD
>That's it.
>I don't use /etc/sysconfig/iptables, I have my own mechanism for 
>populating the rules.  But from what I recall, it's the output of 
>iptables-save.  I've never underestood why this file isn't just a 
>list of normal iptables rules.  You'll need to figure out how to get 
>these new rules into that file in the right format.
>Eldon Ziegler wrote:
>>Could you expand on what needs to be preset into iptables? I've 
>>attached the file on my server from /etc/sysconfig/iptables.
>>Hope this isn't asking too much.
>>Eldon Ziegler
>>At 03:04 pm 10/14/2005, you wrote:
>>>Someone at the meeting discovered that tb-sshdfilter doesn't print a
>>>good error message if the sshd or iptables commands aren't configured
>>>correctly.  I've corrected this and posted version 1.1 on the True Blade
>>>web site.
>>>Columbia, Maryland Linux User's Group (CALUG) mailing list
>>>CALUG Website: http://www.calug.com
>>>Email postings to: lug at calug.com
>>>Change your list subscription options: http://calug.com/mailman/listinfo/lug

More information about the lug mailing list