Hi,

There are a few posts about unauthorised ssh access, our rimu boxes are constantly under some sort of password guessing probe. A better solution to ones previously posted is to configure your firewall to only allow ssh to IP address that do what is called "knocking" like knocking on a door. Using the script below you can configure your server to only allow ssh access if someone first tries to conenct to port x and port y. For example, our server is configured so you must knock on two ports. Our users point their web browser to the following (example only) to 'knock' on the firewall:

http://server.com:6688/
http://server.com:25501/

Once the firewall sees attempts to connect on those ports (in that order, within 10 seconds), the firewall opens up ssh to the connecting machine only. (:

Here is our script:


#!/bin/sh

/sbin/iptables -P INPUT ACCEPT
/sbin/iptables -F INPUT
/sbin/iptables -F FORWARD
/sbin/iptables -F OUTPUT

# Special knock for port 22
/sbin/iptables -N SSH-INPUT
/sbin/iptables -A SSH-INPUT -m recent --name SSH1 --set -j DROP
/sbin/iptables -N SSH-INPUT2
/sbin/iptables -A SSH-INPUT2 -m recent --name SSH2 --set -j DROP
/sbin/iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -m recent --rcheck --seconds 300 --name SSH2 -j ACCEPT
/sbin/iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 6688 -j SSH-INPUT
/sbin/iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 25501 -m recent --rcheck --seconds 10 --name SSH1 -j SSH-INPUT2
/sbin/iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j DROP


If you are really paranoid, a sequence of 3 or 4 knocks in a particular order is much more secure. Two is enough for me.