SSHD Filter

Welcome! This is a website that everyone can build together. It's easy!

SSHD Filter Home

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Installing and configuring SSHD Filter

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Installing sshdfilter :-
You can downaload the sshdfilter from the following location: -

http://www.csc.liv.ac.uk/~greg/sshdfilter/

#wget -c http://www.csc.liv.ac.uk/~greg/sshdfilter-1.5.5.tar.gz
untar the tar.gz file :
#tar -xvzf sshdfilter-1.5.5.tar.gz
#cd sshdfilter-1.5.5
Decide which linux distribution .partconf file you need to use :-

rh7390 - RedHat 7.3, RedHat 9.0, Fedora Core 2.0 or CentOS 4.3
rhFC30 - RedHat Fedora Core 3.0, Fedora Core 4.0, Red Hat Enterprise Linux ES release 4, or CentOS 3.x
deb31 - Debian 3.1 (sarge) or Debian (sid, but see README.debian)
su10rc1 - SuSe 10.0 RC 1, Gentoo and Slackware
dbear - Dropbear, a light weight sshd daemon

(Our distribution was Fedora 5 so we selected rhFC30)

#cat etc/sshdfilterrc patterns/rhFC30.partconf > /etc/sshdfilterrc

Edit /etc/sshdfilterrc to suit your needs

#vi /etc/sshdfilterrc

make sure the two rules:

firewalladd='iptables -A $chain -p tcp -s $ip --dport 22 -j DROP'

firewalldel='iptables -D $chain -p tcp -s $ip --dport 22 -j DROP'

are uncommented, These are the blocking and unblocking rules.

Set the CHAIN :-

chain='SSHD'

If you would like to set a mailer you can set it from here:

mail='mail -s \"sshdfilter event for $ip, $event\" sos\@magnet.com'

Set the sshd path, from where the sshd daemon is or will be running :-

sshdpath='/usr/sbin/sshd'

Now comes the main part of setting the user Policy : this will define the number of attempts that should be allowed and what is to be done after the number of failures, These are the policies through which we can block the unwanted ssh attacks :-

(At present we have set the following policies )

4,3d=INVALID
2,5d='^root$'
4,3d='^magnet$'
0,8d=NOID

The First Policy "4,3d=INVALID" defines , if any person trying to ssh to the server with an invalid username, after 4 attempts , his name will get inserted into the iptables SSHD chain and he will get blocked for 3 days.

The Second Policy " 9,3d='^root$' " defines, if any peroson tries to ssh the server with root as the user, after 2 unsuccessfull attempts, his name will get inserted into iptables and he will be blocked for 5 days.

The Third Policy " 4,3d='^magnet$' " is similiar to the second one, If any person, trying to ssh the server with magnet as the user, after 4 unsuccessfull attempts, his name will get inserted into iptables and he will be blocked for 3 days. Please note, Here magnet is one of the users on the server, You can mention the users of your server.

The Fourth Policy " 0,8d=NOID " defines, Catch and block all No ssh id events, instant block for 8 days.

You can add more policies to the policy section, the specifications are mentioned in the file.

Once the policies and settings have been done, save and exit the file.

Add the SSHD chain to your iptables firewall setup :-

#iptables -N SSHD

#/etc/init.d/iptables save

Add a jump to SSHD rule with something like :-

# iptables -A INPUT -p tcp -m tcp --dport 22 -j SSHD

OR

# iptables -I INPUT -p tcp -m tcp --dport 22 -j SSHD

copy sshdfilter.pl to /usr/sbin/sshdfilter, or maybe /usr/local/sbin/sshdfilter :-

#cp source/sshdfilter.pl /usr/sbin/sshdfilter

Copy the man pages sshdfilter.1 and sshdfilterrc.5 to /usr/share/man/man{1,5} respectively :-

#cp man/sshdfilter.1 /usr/share/man/man1/

#cp man/sshdfilterrc.5 /usr/share/man/man5/

Then copy the sshdfilter file to /etc/init.d/sshdfilter :-

#cp etc/init.d/sshdfilter /etc/init.d/

Then copy the sshd file to /etc/init.d/sshd

#cp etc/init.d/sshd.rhFC30 /etc/init.d/sshd

(Before doing the above step, Please ensure to take a backupof the original sshd file)

Then :-

#/etc/init.d/sshdfilter start

#/etc/init.d/sshd restart

To confirm that sshdfilter is running :-

# ps -aux | grep ssh

/usr/bin/perl /usr/sbin/sshdfilter /usr/sbin/sshd -e -D

You should be seeing some output like the above one, that is the sshdfilter process and the sshd should be running with the -e and -D options.

If you see the above outputs, the installation is complete and you are done with SSHD, you can now try doing some ssh attacks to your server.

You can check the logs in

#tail -f /var/log/secure

OR

#tail -f /var/log/messages

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Hope this tutorial was helpful to you, we would like to have some feedbacks from you. Please feel free to mail your suggestions or queries to sos[AT]magnettechnologies[dot]com.

Thank You

Magnet Systems Team

shaun_s	Latest page update: made by shaun_s , Jan 16 2008, 4:54 AM EST (about this update About This Update sshdfilter - shaun_s 4 words added 4 words deleted view changes - complete history)
	Keyword tags: filter filter ssh filter sshd filtersshd ssh filter sshd sshd filter sshdfilter More Info: links to this page

Threads for this page

Post a new thread

There are no threads for this page. Be the first to start a new thread.

JavaScript must be enabled in order for you to contribute to this site.
To start contributing, enable JavaScript by changing your browser options, then try again.

Home