Lab 01 - VMware Tools, Startup Scripts, SSHDFilter

How many hardware engineers does it take to change a lightbulb?
None: "We'll fix it in software."

How many software engineers does it take to change a lightbulb?
None: "We'll document it in the manual."

How many tech writers does it take to change a lightbulb?
None: "The user can work it out."

Overview

In this lab you will be performing the following tasks:

  1. Removing the CDROM from sources.list
  2. Installing the VMware Tools
    1. Install Build Packages
    2. Mouting VMware Tools
  3. Installing and using VIM
  4. Editing your groups file to add users to groups
  5. Editing your password file to change information
  6. Insult your users who mistype passwords using sudo
  7. Installing SSHDFilter and initial IPTables configuration
    1. Step 1 of IPTables
    2. Step 2 of IPTables

Grading

This lab is due at 9:30am, Tuesday January 29th, 2008. The grading criteria for this lab are the following:

  1. You successfully install VMware tools - You can tell when VMware tools are NOT installed by seeing a warning in the vmware console: "You do not have VMware Tools installed" in the lower-left corner of the console
  2. You successfully install full 'vim' and you are able to turn on syntax highlighting
  3. All group members are a part of group admin (not including me)
  4. My password has been set to "!" using vipw
  5. I am insulted when I attempt to use sudo and mistype my (nonexistent) password
  6. You successfully install and configure SSHDFilter
    • The /etc/init.d/ssh script is correctly modified to spawn SSHDFilter
    • Valid users are allowed 3 password attempts before their IP address is blocked
    • Invalid users are blocked immediately
    • The block is removed after 12 hours

Commands Covered

  • uname (man page) - Prints system information
  • apt-get (man page) - Ubuntu Package manager. Actually comes from Debian (since Ubuntu is built on Debian)
  • mount (man page) - Utility to mount filesystems to directories
  • umount (man page) - Utility to un-mount filesystems from directories
  • tar (man page) - Tape ARchive, a simple tool to aggregate files into a single file
  • dpkg (man page) - The actual debian/ubuntu package install program (equivalent level RedHat/Fedora rpm) that apt-get calls when packages are to be installed
  • wget (man page) - Performs an HTTP GET request and saves the returned HTML to a file in the working directory
  • modprobe (man page) - Probes for new hardware and loads appropriate drivers into the kernel
  • rmmod (man page) - Removes a driver from the kernel (only if the driver is not in use)
  • depmod (man page) - Scans kernel modules and generates a dependency tree
  • vigr (man page) - Safely edits your groups file and checks for syntax
  • vipw (man page) - Safely edits your passwd file and checks for syntax
  • visudo (man page) - Safely edits your sudoers file and checks for syntax

Removing the CDROM from sources.list

This one is pretty simple to do. Before you edit, here are some quick tips about using VI (if you wanna use it):

  • There are two modes in vi - Normal mode and Insert mode. You enter Insert mode by hitting either i or the Insert key. You go back to Normal mode by hitting the Esc key.
  • If you want to save, you must first be in Normal mode and type :w
  • If you want to quit, you must first be in Normal mode and type :q
  • Save-and-Quit - :wq
  • Quit-without-Save - :q!

Now simply edit the following file with your editor of choice and comment out the following line:

chris@coolname:~$ sudo vim /etc/apt/sources.list

...

# deb cdrom:[Ubuntu-Server 6.10 _Edgy Eft_ - Release i386 (20061025.1)]/ edgy main restricted

This will prevent your machine from looking to the CDROM for packages to be installed. This way only sources online will be used.

Installing the VMware Tools

Installing the VMware tools will significantly improve performance on your machine. You may not notice it right away, but as the entire class installs the toolset, the additive effect of improved performance on all machines will hopefully become apparent. Installing the tools requires a kernel module be built using gcc and the Linux kernel headers. Once we have those installed, we must then build and install the tools. There is also a step involving mount.

Install Build Packages

The VMware toolset requires two packages be installed:

  • build-essential
  • linux-headers-$(uname -r)

Notice the $(uname -r) portion of the second package. That is actually an embedded command. Let's first run uname by itself to see what it does:

chris@coolname:/mnt$ uname
Linux

Well that's totally uninteresting and useless. Let's add the -a parameter and see what we get:

chris@coolname:/mnt$ uname -a
Linux coolname 2.6.17-10-server #2 SMP Tue Dec 5 22:29:32 UTC 2006 i686 GNU/Linux

Booyeah! That's much better. We have a lot of information about the machine now, which may or may not be useful to us. We have Linux, followed by the hostname coolname followed by the current kernel installed and running. Let's see what we get with uname -r:

chris@coolname:/mnt$ uname -r
2.6.17-10-server

Now that's interesting. We only get the current kernel installed back. Why do we use this in the linux-headers package? Because every kernel has different headers and so if we want to build modules for a kernel, we have to have the matching headers. Let's install the two packages:

chris@coolname:/mnt$ sudo apt-get install build-essential linux-headers-$(uname -r)
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
  binutils cpp cpp-4.1 dpkg-dev g++ g++-4.1 gcc gcc-4.1 libc6-dev
  libstdc++6-4.1-dev linux-headers-2.6.17-10 linux-libc-dev make patch
Suggested packages:
  binutils-doc cpp-doc gcc-4.1-locales debian-keyring gcc-4.1-doc lib64stdc++6
  manpages-dev autoconf automake1.9 libtool flex bison gdb gcc-doc
  libc6-dev-amd64 lib64gcc1 glibc-doc libstdc++6-4.1-doc make-doc-non-dfsg
  diff-doc
Recommended packages:
  libmudflap0-dev
The following NEW packages will be installed:
  binutils build-essential cpp cpp-4.1 dpkg-dev g++ g++-4.1 gcc gcc-4.1
  libc6-dev libstdc++6-4.1-dev linux-headers-2.6.17-10
  linux-headers-2.6.17-10-server linux-libc-dev make patch
0 upgraded, 16 newly installed, 0 to remove and 0 not upgraded.
Need to get 10.1MB/20.9MB of archives.
After unpacking 131MB of additional disk space will be used.
Do you want to continue [Y/n]? y

...

Damn, that's a crapton of packages that are considered 'essential' for building programs. But now we're in a good spot to install the VMware toolset!

Mounting VMware Tools

VMware gives you the packages for the VMware tools in a very interesting way. Instead of downloading the files yourself, you actually use a menu option in your vmware-server-console to create a temporary CDROM device with which you can mount on your filesystem to access the files. Let's get started! Select the VM -> Install VMware Tools... option and then click install:

Now at this point, you can mount the CDROM to a directory. Let's give it a shot:

chris@coolname:~$ cd /mnt
chris@coolname:/mnt$ sudo mkdir cdrom
chris@coolname:/mnt$ sudo mount /dev/cdrom cdrom
mount: block device /dev/cdrom is write-protected, mounting read-only

Notice the message at the end, that /dev/cdrom is write-protected, which is standard for any CDROM devices. Now let's enter in the directory to which we just mounted the CDROM to see what's there:

chris@coolname:/mnt/cdrom$ ls -l
total 33608
-r--r--r-- 1 root root 17400872 2006-08-09 16:13 VMwareTools-1.0.1-29996.i386.rpm
-r--r--r-- 1 root root 17012548 2006-08-09 16:11 VMwareTools-1.0.1-29996.tar.gz

We have two files available to us. The one we want is VMwareTools-1.0.1-29996.tar.gz. In order to open the file, we must use tar. Notice the file also has an extension of .gz. This means that the file is also compressed in addition to being aggregated in a tar file. Most of us are used to zip files that both aggregate and compress files all in one. The same is NOT true for tar!

Tar does contain an extension to either GZIP or GUNZIP a file, which makes our lives easier. Let's first look at the contents of the above file:

chris@coolname:/mnt/cdrom$ tar tvzf VMwareTools-1.0.1-29996.tar.gz

...

And once again, we have mad diarrhea of output. The basics are as follows:

  • Option t - Print the table of contents of the tar file
  • Option v - Be verbose!
  • Option z - GUNZIP the file before trying to read it
  • Option f - Read with the file listed on the command line (instead of stdin)

When we un-tar the file, however, we want to use the 'x' option which will eXtract the files. One key detail about tar, however, is that it will extract the files from tar into the CURRENT directory, so we want to first move to /tmp (and we're going to omit 'v' so we don't have another textual bowel movement):

chris@coolname:/tmp$ tar xzf /mnt/cdrom/VMwareTools-1.0.1-29996.tar.gz
chris@coolname:/tmp$ ls
vmware-tools-distrib

Now we have our VMware tools extracted from the tar file. We can now un-mount the CDROM device that VMware created for us from the menu-option earlier:

 
chris@coolname:/tmp$ sudo umount /mnt/cdrom

Note: If you see an error such as umount: /mnt/cdrom: device is busy, some device still has a lock on the directory. This could mean that you are still sitting in /mnt/cdrom and your shell has the lock!

Alright, now let's move into our vmware-tools-distrib directory and run the install. Be sure to run this install from your vmware-server-console, and NOT via ssh. The VMware tools resets your network connections to load the new drivers. You can use ALL of the defaults for their questions by simply hitting <enter>, if you have properly installed the two packages above. If you run into any errors at any point, email me to get help debugging the problem.

chris@coolname:/tmp$ cd vmware-tools-distrib/
chris@coolname:/tmp/vmware-tools-distrib$ sudo ./vmware-install.pl
Creating a new installer database using the tar3 format.

Installing the content of the package.

In which directory do you want to install the binary files? 
[/usr/bin] <enter>

What is the directory that contains the init directories (rc0.d/ to rc6.d/)? 
[/etc] <enter>

What is the directory that contains the init scripts? 
[/etc/init.d] <enter>

In which directory do you want to install the daemon files? 
[/usr/sbin] <enter>

In which directory do you want to install the library files? 
[/usr/lib/vmware-tools] <enter>

The path "/usr/lib/vmware-tools" does not exist currently. This program is 
going to create it, including needed parent directories. Is this what you want?
[yes] <enter>

In which directory do you want to install the documentation files? 
[/usr/share/doc/vmware-tools] <enter>

The path "/usr/share/doc/vmware-tools" does not exist currently. This program 
is going to create it, including needed parent directories. Is this what you 
want? [yes] <enter>

The installation of VMware Tools 1.0.1 build-29996 for Linux completed 
successfully. You can decide to remove this software from your system at any 
time by invoking the following command: "/usr/bin/vmware-uninstall-tools.pl".

Before running VMware Tools for the first time, you need to configure it by 
invoking the following command: "/usr/bin/vmware-config-tools.pl". Do you want 
this program to invoke the command for you now? [yes] <enter>

Stopping VMware Tools services in the virtual machine:
   Guest operating system daemon:-ne                                   done

Trying to find a suitable vmhgfs module for your running kernel.

None of the pre-built vmhgfs modules for VMware Tools is suitable for your
running kernel.  do you want this program to try to build the vmhgfs module for
your system (you need to have a C compiler installed on your system)? [yes] <enter>

Using compile "/usr/bin/gcc". Use environment variable CC to override.

What is the location of the directory of C header files that match your running
kernel? [/lib/modules/2.6.17-10-server/build/include] <enter>

...

To use the vmxnet driver, restart networking using the following commands:
/etc/init.d/networking stop
rmmod pcnet32
rmmod vmxnet
depmod -a
modprobe vmxnet
/etc/init.d/networking start

Enjoy,

--the VMware team

Good work! We just a few more commands to run as they mention in the last bit of output. Turns out the 'pcnet32' module doesn't exist on our system:

chris@coolname:/tmp/vmware-tools-distrib$ sudo /etc/init.d/networking stop
 * Deconfiguring network interfaces...                                   [ ok ]
chris@coolname:/tmp/vmware-tools-distrib$ sudo rmmod pcnet32
ERROR: Module pcnet32 does not exist in /proc/modules
chris@coolname:/tmp/vmware-tools-distrib$ sudo rmmod vmxnet
chris@coolname:/tmp/vmware-tools-distrib$ sudo depmod -a
chris@coolname:/tmp/vmware-tools-distrib$ sudo modprobe vmxnet
chris@coolname:/tmp/vmware-tools-distrib$ sudo /etc/init.d/networking start
 * Configuring network interfaces...                                     [ ok ]

Good work! You have successfully installed VMware Tools!

Installing and using VIM

Everyone has their favorite editor. Or someone hasn't used any editor enough to be comfortable. I use 'vi' everyday, because it's on every system I've used, and after knowing a few good bits about vi, you will be able to use it moderately efficiently as well.

Turns out the default 'vim' that's installed on our machines is not the full version! I noticed this when I attempted to turn on syntax highlighting when looking at a script. Try it out. First open the following startup script and then type :syntax on and nothing else:

chris@coolname:~$ vim /etc/init.d/ssh

...

:syntax on

...

E319: Sorry, the command is not available in this version

Suck! We need to regulate that shizzle right away, but first let's take a look at what 'vim' IS installed on our system:

chris@coolname:~$ dpkg -l | grep vim
ii  vim-common                     7.0-035+1ubuntu5        Vi IMproved - Common files
ii  vim-tiny                       7.0-035+1ubuntu5        Vi IMproved - enhanced vi editor - compact v

What is this 'vim-tiny' crap anyway? Let's get our full-version vim installed with syntax highlighting!

chris@coolname:~$ sudo apt-get install vim
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following extra packages will be installed:
  vim-runtime
Suggested packages:
  ctags vim-doc vim-scripts
The following NEW packages will be installed:
  vim vim-runtime
0 upgraded, 2 newly installed, 0 to remove and 0 not upgraded.
Need to get 7072kB of archives.
After unpacking 23.4MB of additional disk space will be used.
Do you want to continue [Y/n]? y

Let's try to open our file again and use syntax highlighting:

chris@coolname:~$ vim /etc/init.d/ssh

...

:syntax on

OOoooooOOohhh look at all the pretty colors! Life just got MUCH easier now that you have syntax highlighting. Except that having to type :syntax on every time you run 'vim' sucks balls, so let's create a config file to read our settings every time we run 'vim'. This file is called .vimrc and it lives in your home directory (after you create it). If you need a reference again, look at the first section of the lab for VI commands.

chris@coolname:~$ vim ~/.vimrc

These are the options I set in my .vimrc file. 

:syntax on
:set ts=3
:set is
:set ai
:set hlsearch
:set pastetoggle=<F4>

Save your file with the :wq keystrokes. The options go as follows:

  1. :syntax on - Obvious what this one does
  2. :set ts=3 - One of my favorites. Tab-stop is 3 instead of 8!
  3. :set is - This is 'incremental search', which highlights words that are found as you search for them (searching is performed by typing / immediately followed by the text you're looking for). I find it very handy.
  4. :set ai - Auto-Indent. It's not smart in any way, and some people can't stand it. I don't hate it enough to get rid of it myself. If you use auto-indent, then you're going to want the next one:
  5. :set hlsearch - Highlight Search. Where incremental-search will highlight as you search, this will highlight all matches after you hit enter. Sometimes this is really annoying, so you can disable it with a simple :set nohlsearch to avoid the mess.
  6. :set pastetoggle=<F4> - Pasting into VI can be a pain in the ass, so you first want to toggle 'paste' mode on with F4 (or whatever key you want to use) and then toggle it off afterward. This command runs the :set paste option (toggles it off by running :set nopaste). The reason you want to use this is because if you have auto-ident enabled and you paste lines that have indents, your formatting gets all screwed up.

Editing your groups file to add users to groups

We want to add the account of the person who had one created after the install to have privileges to run sudo commands. Sudo is configured on Ubuntu by default to allow anyone in the admin group to run any command with sudo. We need to edit our groups file to add the other user, so let's do so by using vigr. Scroll down to find the 'admin' group and add the username of your partner to this group:

chris@coolname:~$ sudo vigr
...
admin:x:108:chris,otheruser

Note: Do not put spaces anywhere in the file, only comma-separated entries of usernames. 'vigr' will check the syntax for you, which is why we use this utility and don't screw up our groups file. Now let's test the other user's ability to run sudo:

otheruser@coolname:~$ sudo vigr

If nothing happens, then you've messed up. Try again.

Editing your password file to change information

For most of you, I have already tested the ability for me to login to the 'root' account using key-authentication without a password. Turns out that 'root's password hash is set to '!'. I want you to change my password to '!' as well. Remember that the password hashes are in the /etc/shadow file and NOT /etc/passwd. In order to edit the shadow file by itself, we must use the -s option of vipw:

chris@coolname:~$ sudo vipw -s
root:!:13530:0:99999:7:::
daemon:*:13530:0:99999:7:::
bin:*:13530:0:99999:7:::

...

chris:!:13530:0:99999:7:::

Save the file once in Normal mode (get there by hitting Esc) by typing :wq

Insult your users who mistype passwords using sudo

"I've seen penguins that can type better than that"

I want to be insulted every time my fat fingers make a mistake when using sudo. Thankfully, the previous maintainers of sudo (from this department) have added such insults to aid me in my masochistic tendencies while administering machines.

To edit the sudoers file which is where the sudo configuration is done, we will be using the visudo utility. Options are set on lines that begin with the Defaults keyword. You want to change line 14 by adding insults, in front of !lecture:

chris@coolname:~$ sudo visudo
...
Defaults        insults,!lecture,tty_tickets,!fqdn

This will most likely come up in Nano, so to save the file hit <ctrl>-o and hit <enter>. You can then exit by hitting <ctrl>-x. Now try it out! Mistype your password and see what happens:

chris@coolname:~$ sudo -k
chris@coolname:~$ sudo ls
Password:
Listen, burrito brains, I don't have time to listen to this trash.
Password:
Your mind just hasn't been the same since the electro-shock, has it?
Password:
Speak English you fool --- there are no subtitles in this scene.
sudo: 3 incorrect password attempts
chris@coolname:~$

Installing SSHDFilter and initial IPTables configuration

We are going to be installing version 1.4.5 of SSHDFilter. Let's download it using our wget program that we used in lab00 and un-tar the file like we did earlier:

chris@coolname:~$ wget http://www.csc.liv.ac.uk/~greg/sshdfilter-1.4.5.tar.gz
--04:22:34--  http://www.csc.liv.ac.uk/~greg/sshdfilter-1.4.5.tar.gz
           => `sshdfilter-1.4.5.tar.gz'
Resolving www.csc.liv.ac.uk... 138.253.184.233
Connecting to www.csc.liv.ac.uk|138.253.184.233|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 45,296 (44K) [application/x-gzip]

100%[====================================>] 45,296        61.17K/s

04:22:35 (61.06 KB/s) - `sshdfilter-1.4.5.tar.gz' saved [45296/45296]

chris@coolname:~$ ls -l
-rw-r--r-- 1 chris chris 45296 2006-11-17 06:05 sshdfilter-1.4.5.tar.gz
chris@coolname:~$ tar zxf sshdfilter-1.4.5.tar.gz
chris@coolname:~$ cd sshdfilter-1.4.5/

Configuring SSHDFilter

You are now inside the install directory. The instructions for manually installing SSHDFilter are in the INSTALL file, but we'll go through the steps on by one below.

First, run regen.sh to recreate distribution specific filters from sshdfilter.base:

chris@coolname:~/sshdfilter-1.4.5$ ./regen.sh
Regenerating sshdfilter.{rh7390 rhFC30 deb31 su10rc1}
   Creating sshdfilter.rh7390
   Creating sshdfilter.rhFC30
   Creating sshdfilter.deb31
   Creating sshdfilter.su10rc1

Now copy ./etc/sshdfilterrc to the /etc directory:

chris@coolname:~/sshdfilter-1.4.5$ sudo cp ./etc/sshdfilterrc /etc

Now edit /etc/sshdfilterrc and change the maxblocktime to be 12 hours. This parameter takes time in seconds, so be sure to calculate 12 hours proplerly. Now you also want to allow a total of 3 password guesses before a user is locked out for 12 hours, which you set with the maxchances option. Notice what the comment says about maxchances, as SSHD generates double log messages for incorrect attempts. You don't see this in your syslog, but SSHDFilter does see it.

maxblocktime=3600*12
maxchances=6

Next we must copy the actual script, sshdfilter.deb31, to a directory that makes sense. I personally use /usr/local/sbin for mine, since this script will only be run as root, and I know to look in /usr/local for any programs I have installed manually. Look carefully at the command below, the script is renamed during the copy to simply sshdfilter under /usr/local/sbin.

chris@coolname:~/sshdfilter-1.4.5$ sudo cp sshdfilter.deb31 /usr/local/sbin/sshdfilter

Changing the /etc/init.d/ssh startup script

Now we must edit our /etc/init.d/ssh startup script to spawn SSHDFilter instead of SSHD. We want to change lines 45 and 68 of our /etc/init.d/ssh script by replacing /usr/sbin/sshd with /usr/local/sbin/sshdfilter. You can see what line you're on in VI by looking at the left-most number in the bottom-right of your screen. You can also immediately skip to a line by typing :<line-num> while in Normal mode.

chris@coolname:~/sshdfilter-1.4.5$ sudo vim /etc/init.d/ssh

...
:45
        start-stop-daemon --start --quiet --pidfile /var/run/sshd.pid
            --exec /usr/local/sbin/sshdfilter -- $SSHD_OPTS || log_end_msg 1

...
:68
        start-stop-daemon --start --quiet --pidfile /var/run/sshd.pid
            --exec /usr/local/sbin/sshdfilter -- $SSHD_OPTS || log_end_msg 1

Now let's copy the man pages over just so we're consistent with our new package:

chris@coolname:~/sshdfilter-1.4.5$ sudo cp ./docs/sshdfilter.1 /usr/share/man/man1
chris@coolname:~/sshdfilter-1.4.5$ sudo cp ./docs/sshdfilterrc.5 /usr/share/man/man5

Adding IPTables chains and rules

This is one of the most important steps: Adding a user-defined SSHD chain to your IPTables, as well as a rule to send all port 22 packets to this chain. If you have to reboot your machine, you must perform these steps on startup as they are not saved between reboots. We will cover much more about IPTables in next week's lab, as well as how to make your rules persistent through reboots, but this is just an introduction. SSHDFilter needs to add rules to block brute-force attacks, so we have to add the rules to our firewall for this package to function. Let's first look at our current rules:

chris@coolname:~/sshdfilter-1.4.5$ sudo iptables -L -n -v
Chain INPUT (policy ACCEPT 118 packets, 9143 bytes)
 pkts bytes target     prot opt in     out     source               destination 

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 

Chain OUTPUT (policy ACCEPT 57 packets, 5828 bytes)
 pkts bytes target     prot opt in     out     source               destination

These are the three default chains: INPUT, FORWARD, and OUTPUT. There is another key detail, namely the policy for each of these default chains. This is an important distinction, because even if you have no rules in your chains, you can have a default policy to DROP all packets, which can be confusing.

Step 1 of IPTables

Let's add our SSHD user-defined chain:

chris@coolname:~/sshdfilter-1.4.5$ sudo iptables -N SSHD

Now let's take a look at the output:

chris@coolname:~/sshdfilter-1.4.5$ sudo iptables -L -n -v
Chain INPUT (policy ACCEPT 213 packets, 16498 bytes)
 pkts bytes target     prot opt in     out     source               destination 

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 

Chain OUTPUT (policy ACCEPT 97 packets, 10436 bytes)
 pkts bytes target     prot opt in     out     source               destination 

Chain SSHD (0 references)
 pkts bytes target     prot opt in     out     source               destination

Booyeah! Our chain has been entered.

Step 2 of IPTables

Now we must add (append with -A) a rule that will direct all incoming TCP port 22 packets (on the INPUT chain) to 'jump' (with the -j option) this new SSHD chain.

chris@coolname:~/sshdfilter-1.4.5$ sudo iptables -A INPUT -p tcp --dport 22 -j SSHD

Excellent! We are now ready to restart our SSH server and have SSHDFilter spawn it instead.

chris@coolname:/usr/local/sbin$ sudo /etc/init.d/ssh restart
 * Restarting OpenBSD Secure Shell server...                             [ ok ]

Now let's check our process tree. We should see sshdfilter with two children, sshd and sshdfilter. You may have to move down a little to see it (or alternatively search with /sshdfilter).

chris@coolname:~/sshdfilter-1.4.5$ pstree -pul | less -S
...
/sshdfilter
...
        |-perl(4021)
        |-python(3913,hplip)
        |-sdpd(4112)
        |-sh(4930,schenkc)---esd(4931)
        |-sshdfilter(7788)-+-sshd(7796)
        |                  `-sshdfilter(7789)
        |-syslogd(3741)
        |-trashapplet(5005,schenkc)
        |-udevd(2018)
        |-update-notifier(4964,schenkc)
        `-watchdog/0(4)
Test your machine!

Now test your machine thoroughly! With the default maxchanges=6, I am blocked after only three bad passwords. Here's what my IPTables looks like after I've been blocked:

Chain INPUT (policy ACCEPT 990 packets, 76071 bytes)
 pkts bytes target     prot opt in     out     source               destination 
  610 45598 SSHD       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0         tcp dpt:22

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 

Chain OUTPUT (policy ACCEPT 529 packets, 67678 bytes)
 pkts bytes target     prot opt in     out     source               destination 

Chain SSHD (1 references)
 pkts bytes target     prot opt in     out     source               destination 
    6   360 DROP       tcp  --  *      *       128.138.243.151      0.0.0.0/0         tcp dpt:22

If you happen to block yourself from testing, you can remove your IP address from the SSHD chain using the following command (where the number after SSHD is the index of your IP address in the chain, starting with 1):

chris@coolname:/usr/local/sbin$ sudo iptables -D SSHD 1

You can now check your auth.log for 'sshdfilt' entries (you'll have to sort through your sudo entries to see this):

chris@coolname:~$ sudo grep 'sshdfilt' /var/log/auth.log

...

Jan 24 05:44:45 coolname sshdfilt[4940]: sshdfilter 1.4.4 starting up, running sshd proper
Jan 24 05:44:46 coolname sshdfilt[4940]: Flushing SSHD chain
Jan 24 05:48:40 coolname sshdfilt[4940]: Chanced 128.138.243.151, tries=0
Jan 24 05:48:40 coolname sshdfilt[4940]: Chanced 128.138.243.151, tries=1
Jan 24 05:48:42 coolname sshdfilt[4940]: Chanced 128.138.243.151, tries=2
Jan 24 05:48:43 coolname sshdfilt[4940]: Chanced 128.138.243.151, tries=3
Jan 24 05:48:46 coolname sshdfilt[4940]: Chanced 128.138.243.151, tries=4
Jan 24 05:48:46 coolname sshdfilt[4940]: Chanced 128.138.243.151, tries=5
Jan 24 05:48:46 coolname sshdfilt[4940]: Too many password guesses, blocking 128.138.243.151

Congratulations! Your machine is now more safe on the network now that it can protect against brute-force ssh attempts.

You have now completed lab01. Good work.