PDA

View Full Version : Knock knock!



rolling
10-23-2006, 03:20 PM
I am sure that our Westhost managers are constantly under some sort of password guessing probe and I found this solution for reducing unauthorised SSH access on another forum.


A better solution to ones previously posted is to configure your firewall to only allow ssh to IP addresses that do what is called "knocking" like knocking on a door. Using the script below you could configure your server to only allow ssh access if someone first tries to conenct to port x and port y. For example, our server is configured so you must knock on two ports. Our users point their web browser to the following (example only) to 'knock' on the firewall:

http://server.com:6688/
http://server.com:25501/

Once the firewall sees attempts to connect on those ports (in that order, within 10 seconds), the firewall opens up ssh to the connecting machine only.

Here is our script:


#!/bin/sh

/sbin/iptables -P INPUT ACCEPT
/sbin/iptables -F INPUT
/sbin/iptables -F FORWARD
/sbin/iptables -F OUTPUT

# Special knock for port 22
/sbin/iptables -N SSH-INPUT
/sbin/iptables -A SSH-INPUT -m recent --name SSH1 --set -j DROP
/sbin/iptables -N SSH-INPUT2
/sbin/iptables -A SSH-INPUT2 -m recent --name SSH2 --set -j DROP
/sbin/iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -m recent --rcheck --seconds 300 --name SSH2 -j ACCEPT
/sbin/iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 6688 -j SSH-INPUT
/sbin/iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 25501 -m recent --rcheck --seconds 10 --name SSH1 -j SSH-INPUT2
/sbin/iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j DROP




Do you think this is something that Westhost should implement?