Monday, July 25, 2005

iptables

Same here, as well at home as at my work. My solution: properly
configure the firewall. I've configured it in such a way that it
blocks all SSH access except from a couple of trusted machines.

This leaves you hanging, though, if you ever need to access the box
from a machine you didn't know about in advance. Enter port knocking.
Here is the relevant part of my iptables script:

CMD="iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport"
$CMD 22 -m recent --rcheck --name SSH -j ACCEPT
$CMD 11 -m recent --name SSH --remove -j DROP
$CMD 12 -m recent --name SSH --set -j DROP
$CMD 13 -m recent --name SSH --remove -j DROP

If you make a connection to port 12, it'll remember the IP you did
that from, and enable SSH access from that IP, even though the
connection to port 12 fails. This is the knock on the door that
unlocks it. Connect to port 11 or 13 to close the port again. This is
so a sequential portscan won't keep the SSH port opened.

Sybren
--
The problem with the world is stupidity. Not saying there should be a
capital punishment for stupidity, but why don't we just take the
safety labels off of everything and let the problem solve itself?
Frank Zappa

No comments: