What Not to Do When You've Installed sshdfilter
sshdfilter is a great tool which monitors system logs for repetitive failed login attempts and actively updates iptables to block offending IP addresses. However, there is a slight shortfall in its design as there are no exceptions to its blocking rules, as I found this morning.
The Incident
Subject: sshdfilter event for 127.0.0.1, Too many password guesses, blocking
Date: Fri, 3 Mar 2006 11:04:02 +0000 (GMT)
From: root@lobstertechnology.com (root)
IP 127.0.0.1 was blocked, Too many password guesses, blocking.
Will remove block at Fri Mar 3 12:04:02 2006.
I almost cried. This one is worthy of being framed and put on the wall.
Why This Is Very Bad News
Firewalling against 127.0.0.1 is very very bad news on a Unix system where there is a lot of loopback activity to run core services such as databases, X servers, etc.
I had a root shell open at the time and could flush the iptables rules to get back to some kind of normality.
The Solution
Thankfully, Gerry has produced a patch allowing you to configure 'trusted' addresses which will never be blocked in this way. Hopefully it will make it to the core sshdfilter code in the near future.
Related Posts
Using sshdfilter to Secure an SSH Server
Protect your SSH server from brute force attacks and port scans with sshdfilter, an iptables-based security tool that blocks threats in real-time
Fixing the Heartbleed vulnerability on CentOS
Quick and easy fix for the Heartbleed OpenSSL vulnerability on CentOS systems using yum update and service restart commands.
A brief history of Red Hat, Fedora and CentOS
Confused by Red Hat's Linux ecosystem? Learn how RHEL, Fedora, and CentOS evolved from one distribution into three distinct solutions for different needs.