On 04/10/12 09:50, Laurie Brown wrote:
What you could try, if as I suspect, you wish to limit access to the remote machine, is to use port-knocking and iptables to open the tunnel up, AND use certificate pairs. http://en.gentoo-wiki.com/wiki/Port_Knocking http://www.hostsvault.com/blog/howto-protect-services-like-ssh-against-brute... http://www.soloport.com/iptables.html I'm a big fan of Shorewall, so: http://www.shorewall.net/3.0/PortKnocking.html HtH. Laurie.
Hi,
I'm not entirely convinced by port knocking. http://bsdly.blogspot.co.uk/2012/04/why-not-use-port-knocking.html If you're behind a firewall and only the port-knocking ports are open, and they're in numeric order, then someone just doing a simple consecutive port scan might unlock your SSH port. I'm not saying don't do it, but just that I'm not convinced!
If you want to beef up security though, some of the other things in that article are useful. Disable root logins - obviously! Move your SSH port to a different address - when I did this the number of attempted logins on my server went from multiple attempts a day to perhaps one every 3-4 months!
Install Fail2Ban or DenyHosts. Denyhosts can download a list of IP addresses that have been scanning SSH ports and block them from accessing your system, and will also block your ssh port from being accessed from and ip address that does repeated failed log-in attempts.
Limiting logins from specific IP addresses as you already do is a good idea.
I'm not absolutely sure what you're trying to do - I don't quite understand why you're reverse tunneling for instance. Anyway, on the off-chance that this helps. You can/should set up a user-name on the remote machine with little or no privileges to do anything, however, allow this account to be SSH-ed into. Then you can configure Sudo for this account so that it specifically allows you to run the commands that you want it to, in conjunction with Sudo. Configure sudo with the visudo command, but google it first, or look at a manual.
Hope this helps a bit!
Steve