Wednesday, September 7, 2011

More useful sshd on the gateway

I need access to my gateway machine (which runs irssi) while out in the world on the internet.


Currently, SSH access from the internet is blocked by firewall. There are a couple ways to enable it. I need to select one, add a secure connection method, and block brute-force methods to crack that connection.


The easiest way is to:

  1. Open port 22 on the firewall
    iptables -A INPUT -p tcp --dport 22 -j ACCEPT
  2. Add a method of blocking brute force attacks
    # Allow incoming ssh attempts for the internet, and add them track them
    #iptables -A INPUT -i ppp0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name DEFAULT --rsource
    # After three inbound ssh attempts in three minutes, drop any subsequent attempts until the three minutes expires
    #iptables -A INPUT -i ppp0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 180 --hitcount 4 --name DEFAULT --rsource -j DROP
  3. Check the settings of /etc/ssh/sshd_config
    # What ports, IPs and protocols we listen for
    Port 22
  4. Check the settings of etc/hosts.allow
    sshd:              ALL
  5. Restart the firewall so the new rules take effect. Restart sshd if any changes to sshd_config or hosts.allow were made.


Alternately, we can tell ssh to listen on a second (unadvertised) port. This may (or may not) be more secure than using firewall rules to block brute force attacks.

  1. Open port 33 on the firewall
    iptables -A INPUT -p tcp --dport 33 -j ACCEPT
  2. Change the settings of /etc/ssh/sshd_config
    # What ports, IPs and protocols we listen for
    Port 22
    Port 33
  3. Check the settings of etc/hosts.allow
    sshd:              ALL
  4. Restart the firewall so the new rules take effect. Restart sshd.
    bash /etc/network/if-up.d/00-firewall
    service restart ssh
    


Since the ddclient package is installed, I can now connect to my server from the internet using:
ssh [--port 33] accountname@myusername.dyndns.org

No comments:

Post a Comment