[olug] Shell accounts? [OT?]

Christopher Cashell topher-olug at zyp.org
Tue Sep 26 22:52:38 CDT 2017


On Thu, Sep 14, 2017 at 9:40 AM, Ben Hollingsworth <obiwan at jedi.com> wrote:

> The biggest bummer, nostalgia aside, is SSH access.  In order to keep the
> log file noise to a minimum, my home firewall restricts which IP blocks are
> allowed to SSH into my home computer.  On the rare occasion when I need to
> SSH in from an unapproved network, I was always able to SSH into falcon
> first, then jump from there to my home machine.  That route is no longer an
> option, so I'll probably have to open up the firewall again.  Or maybe I
> can just paint with a bigger brush & block foreign IP's using that list
> that somebody posted recently.
>

Someone mentioned port-knocking, which can be a handy solution for this.
Another option that can significantly reduce the log noise is to use
iptables to minimize or prevent brute-force SSH attacks.

Replace the iptables rule on your box that is allowing TCP port 22 with the
following:

iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m
hashlimit --hashlimit-mode srcip --hashlimit-upto 1/min --hashlimit-burst 4
--hashlimit-name ssh -j ACCEPT

That will limit new TCP connection attempts to a rate of 1 per minute, with
a burst of 4 allowed per source IP.  Basically, anyone who makes repeated
ssh attempts to quickly will automatically have their connection attempts
dropped.  The most attempts they make, the longer they get blocked.  The
best thing about it is that it requires no maintenance or external
applications (like fail2ban), and is very "fire and forget" for low
connection rate protocols like SSH.

One other handy option, you can keep SSH blocked from the outside, and use
something like OpenVPN to connect remotely.  Then, after establishing a VPN
session to your computer externally, you can SSH across the VPN to not
expose SSH publicly.  This can also give you some additional access
benefits to your system.

For the ultimate in remote shell flexibility, I'll echo another suggestion
that was thrown out, too: Linode.  I've been using Linode.com for 10 years
now, and I can't recommend them enough.  They're Virtual Private Server
(VPS) hosting by geeks/engineers for geeks/engineers.

-- 
> *Ben "Obi-Wan" Hollingsworth* obiwan at jedi.com <mailto:obiwan at jedi.com>
> www.Jedi.com



-- 
Christopher


More information about the OLUG mailing list