Branches
Comments
[»]
OpenSuSE 9.2
by Dougie Lawson - Mar 5th 2006 03:12:24
I've been sick of seeing this crud in my logs on my OpenSuSE system (it's
an old P133 system).
So to install it I had to make the following changes:
1. Update /etc/rc.d/sshd with the supplied sshd.suR10rc1 version.
2. Update /etc/sysconfig/SuSEfirewall2 to set
FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"
3. Update /etc/sysconfig/scripts/SuSEfirewall-custom with
fw_custom_before_port_handling() {
# these rules will be loaded after the anti-spoofing and icmp
handling
# and after the input has been redirected to the input_XXX and
# forward_XXX chains and some basic chain-specific
anti-circumvention
# rules have been set,
# but before any IP protocol or TCP/UDP port allow/protection
rules
# will be set.
# You can use this hook to allow/deny certain IP protocols or
TCP/UDP
# ports before the SuSEfirewall2 generated rules are hit.
iptables -N SSHD
iptables -I INPUT -p tcp -m tcp --dport 22 -j SSHD
true
}
4. I dont have Logwatch installed.
I'm now just waiting for the next attempt from a ssh1 compromised machine.
[reply]
[top]
[»]
Actually...I'm REAL suspicious of your sshdfilter program
by Dave - Nov 8th 2005 11:36:45
In hindsight...I was wondering why all my iptables rules for my existing
chain got deleted as soon as I ran the sshdfilter program for the first
time. Is there a reasonable explanation for that? Maybe I shouldn't have
modified the sshdfilter program by replacing all instances of the chain
name 'SSHD' with the name of the chain I had in place before. It's still
peculiar how all the rules associated with that chain got deleted.
[reply]
[top]
[»]
Re: Actually...I'm REAL suspicious too
by Greg - Nov 14th 2005 05:46:20
Hardly surprising, sshdfilter clears the SSHD chain of rules whenever it
starts, to stop the rules going stale in the long term. You have created
your problem by blindly changing the sshdfilter source code.
> In hindsight...I was wondering why all
> my iptables rules for my existing chain
> got deleted as soon as I ran the
> sshdfilter program for the first time.
> Is there a reasonable explanation for
> that? Maybe I shouldn't have modified
> the sshdfilter program by replacing all
> instances of the chain name 'SSHD' with
> the name of the chain I had in place
> before. It's still peculiar how all the
> rules associated with that chain got
> deleted.
[reply]
[top]
[»]
Re: Actually...I'm REAL suspicious too
by Dave - Nov 16th 2005 13:16:06
> Hardly surprising, sshdfilter clears the
> SSHD chain of rules whenever it starts,
> to stop the rules going stale in the
> long term. You have created your problem
> by blindly changing the sshdfilter
> source code.
>
>
> % In hindsight...I was wondering why
> all
> % my iptables rules for my existing
> chain
> % got deleted as soon as I ran the
> % sshdfilter program for the first time.
>
> % Is there a reasonable explanation for
> % that? Maybe I shouldn't have
> modified
> % the sshdfilter program by replacing
> all
> % instances of the chain name 'SSHD'
> with
> % the name of the chain I had in place
> % before. It's still peculiar how all
> the
> % rules associated with that chain got
> % deleted.
>
>
>
Yeah, that's understandable. But, ever since I tried using the sshdfilter
program, I have been having syslog problems. Syslog occasionally stops
logging. I have to restart syslog to get the logging going again. That is
something that NEVER happened before I tried using sshdfilter. Do you have
an explanation for that?
[reply]
[top]
[»]
Re: Actually...I'm REAL suspicious too
by Greg - Nov 17th 2005 12:00:02
Are you still using sshdfilter, and which version? I assume you aren't. In
which case I'd suspect the sshd startup script is still running sshdfilter
instead of sshd. If you have unstalled all trace of sshdfilter by undoing
all steps in the INSTALL file, and you're logging is still going missing,
then sshdfilter can't be the reason.
> Yeah, that's understandable. But, ever
> since I tried using the sshdfilter
> program, I have been having syslog
> problems. Syslog occasionally stops
> logging. I have to restart syslog to
> get the logging going again. That is
> something that NEVER happened before I
> tried using sshdfilter. Do you have an
> explanation for that?
[reply]
[top]
[»]
I can't tell if sshdfilter is working...
by Dave - Nov 8th 2005 11:12:13
In my iptables -vL output, I see packets being processed for the SSD rule,
but I'm not seeing any logging activity in /var/log/secure.
[root@<hostname> ~]# iptables -vL
1560 182K SSHD tcp -- any any anywhere
anywhere tcp dpt:ssh
Chain SSHD (1 references)
pkts bytes target prot opt in out source
destination
-------------------------------------------------------
Actually, now I just tried to disable sshdfilter and re-enable the normal
sshd activity, and now the sshd logging is broken. I'm suspicious of your
sshdfilter program.
[reply]
[top]
[»]
Re: I can't tell if sshdfilter is working...
by argan0n - Dec 23rd 2005 14:31:10
> I'm suspicious of your
> sshdfilter program.
You are a boob Dave.
The app works great.
If you don't trust it then just read the friggin code man -- sheesh.
--
argan0n
[reply]
[top]
|
