Provide SSH to someone w/ dynamic IP address {Scanned}
Benjamin J. Weiss
benjamin at Weiss.name
Sun Sep 5 14:26:20 UTC 2004
On Sat, 4 Sep 2004, Lew Bloch wrote:
> >> How about moving sshd from 22 to another port (85?) that only you and he
> >> would know. Then he would ssh to -p 85. Anyone ssh to -p 22 would get a
> >> timeout.
> >
> > Thought about that...but if anyone is port scanning my network they would
> > evently find the open port and it's a matter to time.
>
> OK, then they know you exist, but that doesn't necessarily mean they can
> compromise your system. I haven't figured out how to be generally
> invisible except to friendlies, but one can allow ingress to members of
> only specific groups via the /etc/ssh/sshd_config "AllowGroups" entry
> (or to specific users via "AllowUsers").
>
> For example, you can create a group "frobozz" and put your friend's id
> in that group, then put a line in /etc/ssh/sshd_config
> "AllowGroups" frobozz
>
> Of course, you'll also want to have a line
> PermitRootLogin no
>
> I, too, am curious how to make the port visible to only the select few,
> but I don't think it can be done. The best I've found is to deny entry
> to those undesirables who do find my (non-standard) SSH port. Is there
> such a magic bullet?
I think that y'all are looking for something called "port knocking":
http://netsecurity.about.com/cs/generalsecurity/a/aa032004.htm
Basic idea...a daemon listens to all connection attempts to all ports.
When it detects a specific pattern, it will open the port that you define.
It won't help if somebody's actually sniffing one of the end-points,
because the bad guy will be able to record the knock sequence. Other than
that, it's not a bad idea.
I haven't used it, but there's a linux program that claims to do this:
http://www.zeroflux.org/knock/
Good luck.
Ben
More information about the redhat-list
mailing list