Posted on 16-01-2008
Filed Under (Security) by Suhail Thakur

Introduction – SSHDFilter is open source tool by which we can manage SSH service effectively and we can secure our system from brute force attack. This tools will block brute force attack by using IPtables.

You can downaload the sshdfilter from the following location http://www.csc.liv.ac.uk/~greg/sshdfilter/ and then untar the tar.gz file…

#wget -c http://www.csc.liv.ac.uk/~greg/sshdfilter-1.5.5.tar.gz
#tar xvzf sshdfilter-1.5.5.tar.gz
#cd sshdfilter-1.5.5

1] Decide which linux distribution .partconf file you need to use –

rh7390 – RedHat 7.3, RedHat 9.0, Fedora Core 2.0 or CentOS 4.3
rhFC30 – RedHat Fedora Core 3.0, Fedora Core 4.0, Red Hat Enterprise Linux ES release 4, or CentOS 3.x
deb31 – Debian 3.1 (sarge) or Debian (sid, but see README.debian)
su10rc1 – SuSe 10.0 RC 1, Gentoo and Slackware
dbear – Dropbear, a light weight sshd daemon

(Our distribution was Fedora 5 so we selected rhFC30)

#cat etc/sshdfilterrc patterns/rhFC30.partconf > /etc/sshdfilterrc

2] Edit /etc/sshdfilterrc to suit your needs –

make sure that below two rules are uncommented, These are the blocking and unblocking rules.

#vi /etc/sshdfilterrc

firewalladd=’iptables -A $chain -p tcp -s $ip –dport 22 -j DROP’
firewalldel=’iptables -D $chain -p tcp -s $ip –dport 22 -j DROP’

Set the CHAIN –
If you would like to set a mailer you can set it from here:
#mail=’mail -s \”sshdfilter event for $ip, $event\” greg\@abatis.flint’
Set the sshd path, from where the sshd daemon is or will be running :-
Now comes the main part of setting the user Policy : this will define the number of attempts that should be allowed and what is to be done after the number of failures, These are the policies through which we can block the unwanted ssh attacks –

(At present we have set the following policies )

The First Policy “4,3d=INVALID” defines , if any person trying to ssh to the server with an invalid username, after 4 attempts , his name will get inserted into the iptables SSHD chain and he will get blocked for 3 days.
The Second Policy ” 9,3d=’^root$’ ” defines, if any peroson tries to ssh the server with root as the user, after 2 unsuccessfull attempts, his name will get inserted into iptables and he will be blocked for 5 days.
The Third Policy ” 4,3d=’^magnet$’ ” is similiar to the second one, If any person, trying to ssh the server with magnet as the user, after 4 unsuccessfull attempts, his name will get inserted into iptables and he will be blocked for 3 days. Please note, Here magnet is one of the users on the server, You can mention the users of your server.
The Fourth Policy ” 0,8d=NOID ” defines, Catch and block all No ssh id events, instant block for 8 days.

You can add more policies to the policy section, the specifications are mentioned in the file.
Once the policies and settings have been done, save and exit the file.

3] Add the SSHD chain to your iptables firewall setup –

#iptables -N SSHD

#/etc/init.d/iptables save

4] Add a jump to SSHD rule with something like –

# iptables -A INPUT -p tcp -m tcp –dport 22 -j SSHD

copy sshdfilter.pl to /usr/sbin/sshdfilter, or maybe /usr/local/sbin/sshdfilter

#cp source/sshdfilter.pl /usr/sbin/sshdfilter

Copy the man pages sshdfilter.1 and sshdfilterrc.5 to /usr/share/man/man{1,5} respectively –

#cp man/sshdfilter.1 /usr/share/man/man1/
#cp man/sshdfilterrc.5 /usr/share/man/man5/

Then copy the sshdfilter and sshd file to /etc/init.d/sshdfilter and start services…
(Before doing the above step, Please ensure to take a backupof the original sshd file)

#cp etc/init.d/sshdfilter /etc/init.d/
#cp etc/init.d/sshd.rhFC30 /etc/init.d/sshd

#/etc/init.d/sshdfilter start
#/etc/init.d/sshd restart

5] To confirm that sshdfilter is running –

# ps -aux | grep ssh
/usr/bin/perl /usr/sbin/sshdfilter
/usr/sbin/sshd -e -D

You should be seeing some output like the above one, that is the sshdfilter process and the sshd should be running with the -e and -D options.

If you see the above outputs, the installation is complete and you are done with SSHD, you can now try doing some ssh attacks to your server.

6] You can check the logs in –

#tail -f /var/log/secure OR
#tail -f /var/log/messages


Hope this tutorial was helpful to you, we would like to have some feedbacks from you.
Please feel free to mail.

Thank You,
Magnet Systems Team

Similar Posts:

Be Sociable, Share!
(2) Comments   


fatiha on 8 March, 2008 at 1:12 am #

Thank you very much for this Tutorial, it is really interesting 🙂

Arun Bagul on 17 August, 2009 at 1:10 pm #

Hi! Download

SSHdfilter from following URL ~


Post a Comment

arunbagul's photos More of arunbagul's photos
Get Adobe Flash player