[CALUG] update to tb-sshdfilter
Eldon Ziegler
eldonz39yid at yahoo.com
Wed Oct 19 04:34:39 CDT 2005
Eric,
Thanks. It's working great. The first day it trapped 6 rats!
Eldon
At 07:00 am 10/18/2005, Eric V. Smith wrote:
>By running:
>
>/sbin/iptables --table filter --append INPUT --jump SSHD
>
>you're telling netfilter to process all traffic through the rule. If
>you want to only block some traffic, you need to modify this rule to
>only match that traffic. Off the top of my head, something like:
>
>/sbin/iptables --table filter --append INPUT --protocol tcp --dport
>5022 --jump SSHD
>
>for what you're testing (watch for line break).
>
>For me, it's a feature to block all traffic from an offending host, but
>your needs might vary, especially when testing.
>
>Eric.
>
>
>Eldon Ziegler wrote:
> > Thanks for the help. Something must have stripped the attachment.
> >
> > I have it running on one of my servers along with a nightly logwatch so
> > the effect should be seen. I seem to get the most intrusions on weekends.
> >
> > One surprise... I opened port 5022 in the firewall and specified -p5022
> > when I ran tb-sshdfilter expecting it to block only 5022 while leaving
> > port 22 alone so I could still login. In fact, all ssh input was blocked
> > after I tried an invalid user name login. Fortunately, I had dialed up
> > an ISP to get around a problem with a flaky ISDN line so all I had to do
> > was re-dial to get a new IP address and login again. Did I miss
> > something on how to test tb-sshdfilter safely?
> >
> > Eldon
> >
> > At 07:47 am 10/17/2005, Eric V. Smith wrote:
> >
> >> I didn't get an attachment, but that's okay.
> >>
> >> You first need to create the SSHD chain:
> >>
> >> /sbin/iptables --table filter --new-chain SSHD
> >>
> >> And then you need to call it somewhere in the INPUT processing.
> >> You've got some flexibility here. I add this line very early in the
> >> INPUT chain, so that all imbound traffic gets processed:
> >>
> >> /sbin/iptables --table filter --append INPUT --jump SSHD
> >>
> >> That's it.
> >>
> >> I don't use /etc/sysconfig/iptables, I have my own mechanism for
> >> populating the rules. But from what I recall, it's the output of
> >> iptables-save. I've never underestood why this file isn't just a list
> >> of normal iptables rules. You'll need to figure out how to get these
> >> new rules into that file in the right format.
> >>
> >> Eric.
> >>
> >>
> >> Eldon Ziegler wrote:
> >>
> >>> Eric,
> >>> Could you expand on what needs to be preset into iptables? I've
> >>> attached the file on my server from /etc/sysconfig/iptables.
> >>> Hope this isn't asking too much.
> >>> Thanks
> >>> Eldon Ziegler
> >>> At 03:04 pm 10/14/2005, you wrote:
> >>>
> >>>> Someone at the meeting discovered that tb-sshdfilter doesn't print a
> >>>> good error message if the sshd or iptables commands aren't configured
> >>>> correctly. I've corrected this and posted version 1.1 on the True
> >>>> Blade
> >>>> web site.
> >>>>
> >>>> http://trueblade.com/tb-sshdfilter.html
> >>>>
> >>>> Eric.
> >>>> _______________________________________________
> >>>> Columbia, Maryland Linux User's Group (CALUG) mailing list
> >>>> CALUG Website: http://www.calug.com
> >>>> Email postings to: lug at calug.com
> >>>> Change your list subscription options:
> >>>> http://calug.com/mailman/listinfo/lug
> >>
> >>
> >
> >
>
>_______________________________________________
>Columbia, Maryland Linux User's Group (CALUG) mailing list
>CALUG Website: http://www.calug.com
>Email postings to: lug at calug.com
>Change your list subscription options: http://calug.com/mailman/listinfo/lug
More information about the lug
mailing list