grg
Projects
Updated 17 Apr 2014
sshdfilter
| Pop | 239.58 |
|---|---|
| Vit | 3.92 |
sshdfilter automatically blocks ssh brute force attacks by reading sshd log output in real time and adding iptables rules based on authentication failures. Block rules are created by logging on with an invalid user name, or wrongly guessing the password for an existing account. Block rules are removed after a week to maintain a small list of blocks. It also comes with a LogWatch filter.
Recent comments
-
sshdfilter
Re: Actually...I'm REAL suspicious too
Are you still using sshdfilter, and which version? I assume you aren't. In which case I'd suspect the sshd startup script is still running sshdfilter instead of sshd. If you have unstalled all trace of sshdfilter by undoing all steps in the INSTALL file, and you're logging is still going missing, then sshdfilter can't be the reason.> Yeah, that's understandable. But, ever
> since I tried using the sshdfilter
> program, I have been having syslog
> problems. Syslog occasionally stops
> logging. I have to restart syslog to
> get the logging going again. That is
> something that NEVER happened before I
> tried using sshdfilter. Do you have an
> explanation for that?
-
sshdfilter
Re: Actually...I'm REAL suspicious too
Hardly surprising, sshdfilter clears the SSHD chain of rules whenever it starts, to stop the rules going stale in the long term. You have created your problem by blindly changing the sshdfilter source code.> In hindsight...I was wondering why all
> my iptables rules for my existing chain
> got deleted as soon as I ran the
> sshdfilter program for the first time.
> Is there a reasonable explanation for
> that? Maybe I shouldn't have modified
> the sshdfilter program by replacing all
> instances of the chain name 'SSHD' with
> the name of the chain I had in place
> before. It's still peculiar how all the
> rules associated with that chain got
> deleted.
