What not to do when you’ve installed sshdfilter

sshdfilter is a great tool which monitors system logs for repetitive failed login attempts and actively updates iptables to block offending ip addresses. However, there is a slight shortfall it its design as there are no exceptions to its blocking rules as I found this morning:
Subject: sshdfilter event for 127.0.0.1, Too many password guesses, blocking
Date: Fri, 3 Mar 2006 11:04:02 +0000 (GMT)
From: [email protected] (root)

IP 127.0.0.1 was blocked, Too many password guesses, blocking.
Will remove block at Fri Mar 3 12:04:02 2006.

I almost cried, this one is worthy of being framed and put on the wall.
Firewalling against 127.0.0.1 is very very bad news on a unix system where there is a lot of loopback activity to run core services such as databases, x servers etc. I had a root shell open at the time and could flush the iptable rules to get back to some kind of normality.
Thankfully, Gerry has produced a patch allowing you to configure ‘trusted’ addresses which will never be blocked in this way. Hopefully it will make it to the core sshdfilter code in the near future.


Comments

Leave a Reply

Your email address will not be published. Required fields are marked *