cookie wrote:
Hello-
After trying out several modules from Modwall
http://www.stearns.org/modwall/
I was stumped when I encountered the mapssh module.
http://www.stearns.org/modwall/mapssh
## The mapssh module uses some very tight checks to identify the SSH
##protocol string found at the beginning of a connection. Because it
##strictly limits how many packets it inspects, it _should_ not produce
##high load on the system, even when inspecting every tcp connection.
##There is a small chance of false positives and/or false negatives.
/sbin/iptables -N mapssh
/sbin/iptables -F mapssh
/sbin/iptables -A mapssh -m u32 --u32 '0>>22&0x3C@ 12>>26&0x3C@
0=0x5353482D' -j LOG --log-prefix mapssh
/sbin/iptables -A INPUT -i ! lo -p tcp ! -f -m connbytes --connbytes
0:255 -m state --state ESTABLISHED -m length --length 46:375 -j mapssh
/sbin/iptables -A FORWARD -p tcp ! -f -m connbytes --connbytes 0:255 - m
state --state ESTABLISHED -m length --length 46:375 -j mapssh
/sbin/iptables -A OUTPUT -p tcp ! -f -m connbytes --connbytes 0:255 - m
state --state ESTABLISHED -m length --length 46:375 -j mapssh
It all goes well till it hits the 4th line (the first that uses
connbytes) then it kicks out:
iptables v1.3.3: You must specify `--connbytes'`--connbytes- direction'
and `--connbytes-mode'
Try `iptables -h' or 'iptables --help' for more information.
After a day of googling for the correct use of -m connbytes I am at a
loss, I was hoping
someone could help me figure this out. I have tried adding
--connbytes-dir original --connbytes-mode bytes but to no avail.
Hmm - there was a bug in 1.3.1 which stopped it from parsing properly
but I just looked and it's fixed in 1.3.3. You still need to specify dir
and mode now, though.
Can you search for libipt_connbytes.so to check datestamp/ for multiple
copies incase you are using an older version.
You do need connbytes in kernel/as module aswell of course which until
very recently involved using POM, and when I last did it (2.6.12-rc1
time) it (POM) failed without messing around.
Andy.
