If you’re new to using Clear Linux, and you’re lazy like me, you’ll likely run into this situation sooner or later. You’re using SSH to connect to a remote Clear Linux machine. You type your password in (because setting up SSH to use keys is #TooMuchWork, #AmIRite?). And it fails. Oh, that’s right, you just switched to a new password. OK, type in the new password. Huh, still failed. Oh look, cAPS lOCK IS ON. Retype a third time, finger slips. Login fails once more. Logins continue to fail…. Hmmm…. Maybe something else is going on? Can I ping the machine? No!
Clearly there’s a major problem happening. Maybe someone's pulled a network cable or powered down the machine?
If you’re lucky, you’ll go off to lunch to think about it, and when you return, find everything is working correctly again. I know of a colleague who, at this point, drove a considerable distance into the office, thinking his machine had been stolen, only to find everything was fine.
Clearly this could be unexpected behavior, resulting in annoyance and frustration. What’s going on?
As you’ve realized when you first logged into your Clear Linux machine and had to create a password, (what’s a good password for root, “root”? Nope. “password”? Nope…) Clear Linux is designed with security in mind, and tries to prevent users from shooting themselves in the foot. Clear Linux doesn’t provide default passwords to root or user accounts. You can’t SSH in as root. And, most relevant in this case, if you look like a hacker trying to SSH in, all network activity from that IP address gets shut down.
Clear Linux has a process called Tallow, which monitors the systemd journal for attempted SSH logins, and issues temporary bans. If it detects anomalous login patterns, it adds a rule to iptables temporarily blocking all network access from that IP address. You can list iptables rules to see if there is a DROP rule in the INPUT chain, by using
$ sudo iptables -L
(Obviously you’d have to do this physically from your machine, if your SSH logins are temporarily blocked by Tallow). Rebooting won’t reset this, as the iptables rule persists over reboot. After a period of time, (1 hour by default), Tallow will remove the iptables rule and allow traffic once more.
The bottom line: If you want to ensure your client isn’t inadvertently blocked by Tallow due to fat fingers, you can whitelist IP address in tallow.conf.
/etc/tallow.conf file is read at startup. You can override the default values in tallow.conf. The template in /usr/share/doc/tallow shows the format for valid entries. From that template, copy the whitelist line into the file `/etc/tallow.conf`
By default, only 127.0.0.1 is shown.
Multiple IP addresses can be included here, as appropriate, by repeating the
whitelist option several times on new lines. For more details, in the CLI enter: man tallow.conf, or visit https://github.com/clearlinux/tallow/blob/master/tallow.conf.5.md
Save the file tallow.conf and exit. Then restart the tallow.service for changes to take effect.
$ sudo systemctl restart tallow
For better security, use SSH keys instead of passwords.
If you really, REALLY need to disable tallow, it’s highly discouraged. But here's how:
$ sudo systemctl stop tallow
$ sudo systemctl mask tallow
And it can be re-enabled with:
$ sudo systemctl unmask tallow
$ sudo systemctl start tallow