Provide SSH to someone w/ dynamic IP address {Scanned}
Tom Klem
thewiz at lvcablemodem.com
Wed Sep 8 07:22:23 UTC 2004
What about "only allow users" ?
The casual observer will not know for sure why no logon for them will work, and if they happen to hit one of your valid users, the password/authentication should stop them, yes?
Tom Klem
*********** REPLY SEPARATOR ***********
On 09/05/2004 at 9:26 AM Benjamin J. Weiss wrote:
>On Sat, 4 Sep 2004, Lew Bloch wrote:
>
>> >> How about moving sshd from 22 to another port (85?) that only you and
>he
>> >> would know. Then he would ssh to -p 85. Anyone ssh to -p 22 would get
>a
>> >> timeout.
>> >
>> > Thought about that...but if anyone is port scanning my network they
>would
>> > evently find the open port and it's a matter to time.
>>
>> OK, then they know you exist, but that doesn't necessarily mean they can
>> compromise your system. I haven't figured out how to be generally
>> invisible except to friendlies, but one can allow ingress to members of
>> only specific groups via the /etc/ssh/sshd_config "AllowGroups" entry
>> (or to specific users via "AllowUsers").
>>
>> For example, you can create a group "frobozz" and put your friend's id
>> in that group, then put a line in /etc/ssh/sshd_config
>> "AllowGroups" frobozz
>>
>> Of course, you'll also want to have a line
>> PermitRootLogin no
>>
>> I, too, am curious how to make the port visible to only the select few,
>> but I don't think it can be done. The best I've found is to deny entry
>> to those undesirables who do find my (non-standard) SSH port. Is there
>> such a magic bullet?
>
>
>I think that y'all are looking for something called "port knocking":
>
>http://netsecurity.about.com/cs/generalsecurity/a/aa032004.htm
>
>Basic idea...a daemon listens to all connection attempts to all ports.
>When it detects a specific pattern, it will open the port that you define.
>
>It won't help if somebody's actually sniffing one of the end-points,
>because the bad guy will be able to record the knock sequence. Other than
>that, it's not a bad idea.
>
>I haven't used it, but there's a linux program that claims to do this:
>
>http://www.zeroflux.org/knock/
>
>Good luck.
>
>Ben
>
>
>--
>redhat-list mailing list
>unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
>https://www.redhat.com/mailman/listinfo/redhat-list
More information about the redhat-list
mailing list