What not to do when you’ve installed sshdfilter

sshdfilter is a great tool which monitors system logs for repetitive failed login attempts and actively updates iptables to block offending ip addresses. However, there is a slight shortfall it its design as there are no exceptions to its blocking rules as I found this morning:

Subject: sshdfilter event for 127.0.0.1, Too many password guesses, blocking
Date: Fri, 3 Mar 2006 11:04:02 +0000 (GMT)
From: root@lobstertechnology.com (root)

IP 127.0.0.1 was blocked, Too many password guesses, blocking.
Will remove block at Fri Mar 3 12:04:02 2006.

I almost cried, this one is worthy of being framed and put on the wall.

Firewalling against 127.0.0.1 is very very bad news on a unix system where there is a lot of loopback activity to run core services such as databases, x servers etc. I had a root shell open at the time and could flush the iptable rules to get back to some kind of normality.

Thankfully, Gerry has produced a patch allowing you to configure ‘trusted’ addresses which will never be blocked in this way. Hopefully it will make it to the core sshdfilter code in the near future.