[olug] Shell accounts? [OT?]

aric at omahax.com aric at omahax.com
Tue Sep 26 23:26:40 CDT 2017

Thanks, that is a cool feature of iptables that I didn't know about.  When I first read the port knocking suggestion on this thread I thought about the Dr. Strangelove doomsday machine.  You could trigger events from a port knock.  ....and then this Rick and Morty scene https://youtu.be/a69kN7gyE70
There several ways to block SSH attempts.  I use pfSense to forward a non standard port, ban the IP after 5 failed attempts and ban IPs that port scan.  The iptables way you suggested looks to be the simplest.
------ Original message------From: Christopher CashellDate: Tue, Sep 26, 2017 10:53 PMTo: Omaha Linux User Group;Cc: Subject:Re: [olug] Shell accounts? [OT?]
On Thu, Sep 14, 2017 at 9:40 AM, Ben Hollingsworth  wrote:

> The biggest bummer, nostalgia aside, is SSH access.  In order to keep the
> log file noise to a minimum, my home firewall restricts which IP blocks are
> allowed to SSH into my home computer.  On the rare occasion when I need to
> SSH in from an unapproved network, I was always able to SSH into falcon
> first, then jump from there to my home machine.  That route is no longer an
> option, so I'll probably have to open up the firewall again.  Or maybe I
> can just paint with a bigger brush & block foreign IP's using that list
> that somebody posted recently.

Someone mentioned port-knocking, which can be a handy solution for this.
Another option that can significantly reduce the log noise is to use
iptables to minimize or prevent brute-force SSH attacks.

Replace the iptables rule on your box that is allowing TCP port 22 with the

iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m
hashlimit --hashlimit-mode srcip --hashlimit-upto 1/min --hashlimit-burst 4
--hashlimit-name ssh -j ACCEPT

That will limit new TCP connection attempts to a rate of 1 per minute, with
a burst of 4 allowed per source IP.  Basically, anyone who makes repeated
ssh attempts to quickly will automatically have their connection attempts
dropped.  The most attempts they make, the longer they get blocked.  The
best thing about it is that it requires no maintenance or external
applications (like fail2ban), and is very "fire and forget" for low
connection rate protocols like SSH.

One other handy option, you can keep SSH blocked from the outside, and use
something like OpenVPN to connect remotely.  Then, after establishing a VPN
session to your computer externally, you can SSH across the VPN to not
expose SSH publicly.  This can also give you some additional access
benefits to your system.

For the ultimate in remote shell flexibility, I'll echo another suggestion
that was thrown out, too: Linode.  I've been using Linode.com for 10 years
now, and I can't recommend them enough.  They're Virtual Private Server
(VPS) hosting by geeks/engineers for geeks/engineers.

> *Ben "Obi-Wan" Hollingsworth* obiwan at jedi.com 
> www.Jedi.com

OLUG mailing list
OLUG at olug.org

More information about the OLUG mailing list