Re: Provide SSH to someone w/ dynamic IP address {Scanned}

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sat, 4 Sep 2004, Lew Bloch wrote:

> >> How about moving sshd from 22 to another port (85?) that only you and he
> >> would know. Then he would ssh to -p 85. Anyone ssh to -p 22 would get a
> >> timeout.
> > 
> > Thought about that...but if anyone is port scanning my network they would
> > evently find the open port and it's a matter to time.
> 
> OK, then they know you exist, but that doesn't necessarily mean they can 
> compromise your system.  I haven't figured out how to be generally 
> invisible except to friendlies, but one can allow ingress to members of 
> only specific groups via the /etc/ssh/sshd_config "AllowGroups" entry 
> (or to specific users via "AllowUsers").
> 
> For example, you can create a group "frobozz" and put your friend's id 
> in that group, then put a line in /etc/ssh/sshd_config
> 	"AllowGroups" frobozz
> 
> Of course, you'll also want to have a line
> 	PermitRootLogin no
> 
> I, too, am curious how to make the port visible to only the select few, 
> but I don't think it can be done.  The best I've found is to deny entry 
> to those undesirables who do find my (non-standard) SSH port.  Is there 
> such a magic bullet?


I think that y'all are looking for something called "port knocking":

http://netsecurity.about.com/cs/generalsecurity/a/aa032004.htm

Basic idea...a daemon listens to all connection attempts to all ports.  
When it detects a specific pattern, it will open the port that you define.  
It won't help if somebody's actually sniffing one of the end-points, 
because the bad guy will be able to record the knock sequence.  Other than 
that, it's not a bad idea.

I haven't used it, but there's a linux program that claims to do this:

http://www.zeroflux.org/knock/

Good luck.

Ben


-- 
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

[Index of Archives]     [CentOS]     [Kernel Development]     [PAM]     [Fedora Users]     [Red Hat Development]     [Big List of Linux Books]     [Linux Admin]     [Gimp]     [Asterisk PBX]     [Yosemite News]     [Red Hat Crash Utility]


  Powered by Linux