"Fossies" - the Fresh Open Source Software Archive

Member "sshdfilter-1.5.7/INSTALL" (7 Jun 2010, 11088 Bytes) of package /linux/privat/old/sshdfilter-1.5.7.tar.gz:

As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file.

A hint: This file contains one or more very long lines, so maybe it is better readable using the pure text view mode that shows the contents as wrapped lines within the browser window.

    1 *** Two ways of installing sshdfilter ***
    3 The first thing you need to do is decide on how to install sshdfilter. There are two install routes:
    4 Route 1) As an sshd wrapper where system scripts run sshdfilter instead of sshd. sshdfilter then runs sshd with the -eD options, giving sshdfilter direct access to sshd log messages.
    5 Route 2) As a standalone program, reading sshd log messages via syslog and a named pipe.
    7 Route 1)
    8 Pros:
    9 1. Efficient 
   10 2. Well tested 
   11 3. Clean.
   13 Cons:
   14 1. Requires changing system startup scripts to run sshdfilter instead of sshd. Some people are nervous about that, especially when installing sshdfilter remotely.
   15 2. sshd and sshdfilter are tied together, restarting sshdfilter has been known to kill all logged in sshd sessions.
   16 3. A bug in sshd with the -eD options makes messages appear multiple times, usually in double. Setting the MaxChances options to exact requirements will need experimentation to make the block events match the policy you had in mind. The debug=1 option helps with this.
   19 Route 2)
   20 Pros:
   21 Isolated from sshd, there is no process relationship between sshd and sshdfilter.
   22 Cons:
   23 Reading the system logs requires more overhead, syslog must log all authpriv (or auth, depending on your system) messages at least twice (to the standard log file and a fifo per sshdfilter), and sshdfilter must parse and identify sshd log messages from all the messages sent to the AUTHPRIV service.
   26 *** General instructions ***
   28 These install instruction start and end with the common elements of both routes.
   30 _Install instructions for sshdfilter_
   33 0. Beta quality install scripts have been written, they are: install_aswrapper.pl and install_standalone.pl.
   34 They automate most of the tasks here, so are well worth trying. They do not attempt firewall configuration.
   36 1. Create an initial configuration file:
   37 # cp etc/sshdfilterrc /etc/sshdfilterrc
   39 etc/sshdfilterrc is a simple configuration file that contains some fairly strict defaults. These are similar to the same defaults used by sshdfilter 1.4 and earlier, except that an illegal user doesn't instantly lead to that IP being blocked. There is a selection of commented out examples of what can be done with sshdfilter policies. Namely white/black listed IPs, different numbers of password guesses and block times for different usernames, all specified by regular expressions.
   41 Starting with sshdfilter 1.5.6, the sample configuration file includes the most common regular expressions to identify sshd messages from most distributions. For those interested, the regular expressions are in patterns/<your distro>.partconf. A few are supplied and most distributions have been found to be based on these. If yours isn't listed, you can look at your old sshd log messages and identify what patterns you need. Email me if you need help. The patterns match to:
   42  rh7390 - RedHat 7.3, RedHat 9.0, Fedora Core 2.0 or CentOS 4.3
   43  rhFC30 - RedHat Fedora Core 3.0, Fedora Core 4.0, Red Hat Enterprise Linux ES release 4, or CentOS 3.x
   44   deb31 - Debian 3 to Debian 5
   45 su10rc1 - SuSe 10.0 RC 1, Gentoo and Slackware
   46   dbear - Dropbear, a light weight sshd daemon (these patterns are not included by default)
   48 Starting with sshdfilter 1.5.6, support for multi-line patterns have been implemented. Example (in the Invalid and NoId sub-sections) patterns are included, but I don't have any example sshd output to work from.
   50 2. Edit /etc/sshdfilterrc to suit your needs. Each section deals with either general options to get sshdfilter working (the OPTIONS section and the SSHDLOGS section), or with policy decisions - to block or not block connections and how many chances to give the IP address before blocking that IP. It contains defaults that will probably work for your system but is well worth reading through. See the configuration file for details.
   53 3.
   54 Add the SSHD chain to your iptables firewall setup, typically (/etc/sysconfig/iptables style):
   55 :SSHD - [0:0]
   56 or bash:
   57 $ iptables -N SSHD
   59 Add a jump to SSHD rule with something like (/etc/sysconfig/iptables style):
   60 -A INPUT -p tcp -m tcp --dport 22 -j SSHD
   61 or bash:
   62 $ iptables -I INPUT -p tcp -m tcp --dport 22 -j SSHD
   64 This is only an example, I've no idea how you set up your iptables. Generally you'll have an existing line that ACCEPTS ssh(port 22), and the above should go on the line before. You can look at the current firewall setup with:
   65 iptables -L -vn | less -S
   66 We are only really interested in the INPUT table.
   68 Read INSTALL.ipfw for instructions on installing sshdfilter with ipfw support.
   70 4.
   71 Exceptions to the sshdfilter blocking rules can be made with iptables or the white list in the configuration file. White lists will be useful if you have trusted IP addresses that will never attack your system. A typical example for the network would be (sysconfig style):
   72 -I INPUT -p tcp -m tcp -s --dport 22 -j ACCEPT
   73 or bash:
   74 iptables -A INPUT -p tcp -m tcp -s --dport 22 -j ACCEPT
   76 5.
   77 copy sshdfilter.pl to /usr/sbin/sshdfilter, or maybe /usr/local/sbin/sshdfilter with:
   78 cp source/sshdfilter.pl /usr/sbin/sshdfilter
   80 6.
   81 Copy the man pages sshdfilter.1 and sshdfilterrc.5 to /usr/share/man/man{1,5} respectively.
   83 7.
   84 If you need to run multiple instances of sshdfilter, say on multiple ports, it 
   85 might be necessary to use multiple sshdfilterrc configuration files. If the environment
   86 variable SSHDFILTERRC exists, it is read at startup instead of /etc/sshdfilterc.
   88 This means you can start sshdfilter with different options, such as the
   89 port number to block, and have it block IPs independently from other sshdfilter instances. 
   90 Note the jump-to-SSHD-chain rule will need to be duplicated for each port, if
   91 required you can also use a different chain, such as SSHD24 for tcp port 24.
   93 A line such as:
   94 export SSHDFILTERRC=/etc/sshdfilterrc.p24
   95 in the startup file will achieve this.
   98 Route 1) Steps specific to installing sshdfilter as an sshd wrapper
  100 8a.
  101 Modify the startup script /etc/init.d/sshd to run sshdfilter instead of sshd, examples are in etc/init.d/. Basically, any reference to running the sshd executable should be replaced by sshdfilter.
  103 8b.
  104 Restart sshd via sshdfilter, normally with:
  105 $ /etc/init.d/sshd restart
  106 and check the process tree with:
  107 $ pstree -pul | less -S
  108 (or on some systems $ pstree -pula | less -Sr)
  109 (use the cursor keys to move about, q quits)
  110 This should show sshdfilter, with two children, sshdfilter and sshd. Now ssh logins will appear as children of this sshd - which is how sshd has always worked. Looking at your message logs will show sshdfilter has started.
  113 Route 2) Steps specific to installing sshdfilter standalone.
  115 8a. As root:
  116 Create a named fifo for communication from syslog to sshdfilter:
  117 # mkfifo /var/run/sshd.fifo
  118 # chmod 600 /var/run/sshd.fifo
  120 8b. Edit /etc/syslog.conf and add a line that says:
  121 authpriv.*                                |/var/run/sshd.fifo
  122 or
  123 auth.*                                    |/var/run/sshd.fifo
  124 or for OSX or BSD
  125 auth.*                                    /var/run/sshd.fifo
  127 Notice there is already an authpriv entry, syslog will write to both. If you are installing multiple sshdfilters, each sshdfilter will need its own fifo, fifos don't share their output between multiple readers.
  129 You will need to change the logsource option, in the OPTIONS section of /etc/sshdfilterrc. It defaults to install route 1, for route 2 it should read:
  130 logsource='/var/run/sshd.fifo'
  132 8c. Create/copy+edit an sshdfilter startup file. etc/init.d/sshdfilter is a generic SysV startup files for various distributions:
  133 # cp etc/init.d/sshdfilter /etc/init.d/sshdfilter
  134 OSX uses a different startup method, so much so you would be better using the OSX port of sshdfilter.
  136 and then add it to the startup list with:
  137 # chkconfig --add sshdfilter
  139 If you don't have chkconfig, you can manually add a symbolic link with:
  140 # cd /etc/rc<your run level>.d
  141 # ln -s /etc/init.d/sshdfilter S97sshdfilter
  142 where <your run level> is the number in the result of:
  143 # grep :initdefault: /etc/inittab
  144 Note some distros no longer have /etc/inittab
  146 If your system isn't SysV (some Slackware?), you can find where your sshd is run with:
  147 # grep -r sshd /etc/rc.d
  148 and place:
  149 /usr/sbin/sshdfilter
  150 after the reference to sshd.
  152 8d.
  153 Start sshdfilter, normally with:
  154 $ /etc/init.d/sshdfilter start
  155 and check the process tree with:
  156 $ pstree -pul | less -S
  157 (use the cursor keys to move about, q quits)
  158 This should show sshdfilter with no children. Looking at your message logs will show sshdfilter has started.
  160 *** Continuing generic install instructions ***
  162 9.
  163  (!!! LogWatch script not yet written/updated for sshdfilter 1.5 !!!)
  164 If your system uses LogWatch, you can find parsing scripts in etc/log.d/. Note t
  165 hey are setup for a RedHat system that logs sshd (and so sshdfilter) output to /
  166 var/log/secure, your distro probably sends the output to another file, such as /
  167 var/log/auth.log for Debian. You need a recent (7.x) version of LogWatch to us
  168 e these LogWatch scripts. sshd logging works as it used to, sshdfilter always lo
  169 gs sshd output regardless of it triggering sshdfilter to do some action. The Log
  170 Watch scripts consist of two files, you will also need to add 'sshdfilt' to /et
  171 c/log.d/conf/services/secure.conf (or similar, try 'grep -r "sshd " /etc/log.d/conf' 
  172 to find mentions of sshd, sshdfilt should be there too), to tell the other scripts 
  173 about sshdfilter. The line in secure.conf is normally: 
  174 $ignore_services = sshd Pluto stunnel proftpd saslauthd imapd
  175 and needs to be:
  176 $ignore_services = sshd sshdfilt Pluto stunnel proftpd saslauthd imapd
  177 But what it needs to be for you depends on your distribution.
  179 10.
  180 Post Install:
  181 Inform the users of what happens if they try too many password guesses, or type
  182 their login name wrongly. 
  184 For yourself, you could install webmin and webmin-iptables, for non-ssh remote access. So if you lock yourself out of your machine, you have another route in. Of course, this opens up another way into your system for others, so maybe you'd be better off running another sshd on an obscure port.
  186 11.
  187 Testing of sshdfilter can be done by ssh'ing from the same machine. Actually locking yourself out is not necessary but is possible, simply:
  188 ssh somenoneexistantuser@localhost
  189 should lead to sshdfilter messages in the logs stating an illegal user tried to login and how many chances they have before being blocked. Once that IP runs out of chances, an iptables DROP rule is added to the SSHD chain. If you have direct access to the machine, or have ssh'ed in from somewhere else, you will then be able to:
  190 $ iptables -F SSHD
  191 or restart sshdfilter (which will flush the chain and its state table).
  192 Other block triggering commands to try are:
  193 $ ssh existsinguser@localhost
  194 and try this a few times with the wrong password, looking at the logs each time.
  195 And:
  196 $ telnet localhost 22
  197 then press control and ], exit with q. This should trigger the 'No ssh id' message.
  200 Last word.
  201 Thats all, now you can enjoy a much better protected ssh and much less junk in your logs, making them readable again.