[CALUG] update to tb-sshdfilter
eldonz39yid at yahoo.com
Tue Oct 18 04:24:46 CDT 2005
Thanks for the help. Something must have stripped the attachment.
I have it running on one of my servers along with a nightly logwatch
so the effect should be seen. I seem to get the most intrusions on weekends.
One surprise... I opened port 5022 in the firewall and specified
-p5022 when I ran tb-sshdfilter expecting it to block only 5022 while
leaving port 22 alone so I could still login. In fact, all ssh input
was blocked after I tried an invalid user name login. Fortunately, I
had dialed up an ISP to get around a problem with a flaky ISDN line
so all I had to do was re-dial to get a new IP address and login
again. Did I miss something on how to test tb-sshdfilter safely?
At 07:47 am 10/17/2005, Eric V. Smith wrote:
>I didn't get an attachment, but that's okay.
>You first need to create the SSHD chain:
>/sbin/iptables --table filter --new-chain SSHD
>And then you need to call it somewhere in the INPUT
>processing. You've got some flexibility here. I add this line
>very early in the INPUT chain, so that all imbound traffic gets processed:
>/sbin/iptables --table filter --append INPUT --jump SSHD
>I don't use /etc/sysconfig/iptables, I have my own mechanism for
>populating the rules. But from what I recall, it's the output of
>iptables-save. I've never underestood why this file isn't just a
>list of normal iptables rules. You'll need to figure out how to get
>these new rules into that file in the right format.
>Eldon Ziegler wrote:
>>Could you expand on what needs to be preset into iptables? I've
>>attached the file on my server from /etc/sysconfig/iptables.
>>Hope this isn't asking too much.
>>At 03:04 pm 10/14/2005, you wrote:
>>>Someone at the meeting discovered that tb-sshdfilter doesn't print a
>>>good error message if the sshd or iptables commands aren't configured
>>>correctly. I've corrected this and posted version 1.1 on the True Blade
>>>Columbia, Maryland Linux User's Group (CALUG) mailing list
>>>CALUG Website: http://www.calug.com
>>>Email postings to: lug at calug.com
>>>Change your list subscription options: http://calug.com/mailman/listinfo/lug
More information about the lug