I need access to my gateway machine (which runs irssi) while out in the world on the internet.
Currently, SSH access from the internet is blocked by firewall. There are a couple ways to enable it. I need to select one, add a secure connection method, and block brute-force methods to crack that connection.
The easiest way is to:
- Open port 22 on the firewall
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
- Add a method of blocking brute force attacks
# Allow incoming ssh attempts for the internet, and add them track them #iptables -A INPUT -i ppp0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name DEFAULT --rsource # After three inbound ssh attempts in three minutes, drop any subsequent attempts until the three minutes expires #iptables -A INPUT -i ppp0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 180 --hitcount 4 --name DEFAULT --rsource -j DROP
- Check the settings of /etc/ssh/sshd_config
# What ports, IPs and protocols we listen for Port 22
- Check the settings of etc/hosts.allow
sshd: ALL
- Restart the firewall so the new rules take effect. Restart sshd if any changes to sshd_config or hosts.allow were made.
Alternately, we can tell ssh to listen on a second (unadvertised) port. This may (or may not) be more secure than using firewall rules to block brute force attacks.
- Open port 33 on the firewall
iptables -A INPUT -p tcp --dport 33 -j ACCEPT
- Change the settings of /etc/ssh/sshd_config
# What ports, IPs and protocols we listen for Port 22 Port 33
- Check the settings of etc/hosts.allow
sshd: ALL
- Restart the firewall so the new rules take effect. Restart sshd.
bash /etc/network/if-up.d/00-firewall service restart ssh
Since the ddclient package is installed, I can now connect to my server from the internet using:
ssh [--port 33] accountname@myusername.dyndns.org
No comments:
Post a Comment