secure ssh access to your server

Every access to your system is a security threat.

Let’s focus on ssh (Secure Shell).
Even when there is no know security bug for ssh, hackers might have found a way in which they share (or sell) between them and which hasn’t surfaced yet. Even if there is no security bug at all for ssh, access mostly depends on username/password combinations and we all know what a weak system that is, especially when used from untrusted systems.

We can make life a little bit more secure by using a trick.
ssh access is blocked by default using iptables, but by visiting a secret URL on your website ssh access from that ip-address is turned on. You will still need username and password to access the box, but this way portscanners won’t detect an ssh server running.

We will need a little script which extracts the ip-address from the computer which accessed the webpage. The script will generate a 404 Error page (and HTTP 404 Error headers to fool the clever hacker):

[php]




404 Not Found

Not Found

The requested URL /secret-url.php was not found on this server.


Apache Server at www.yourserver.com Port 80




[/php]

The ip-address is written to a file in /tmp. As you might have noticed, there is no variable passing in the URL (e.g. http://www.yourserver.com/secret-url.php?ip=192.168.10.1 ) because these are potential security loopholes. Also the script itself uses a simple message passing algorithm to get the relevant data (the ip-address) to iptables, this way there is no direct coupling between an global accessable webpage and iptables.

We will use a bash script to read the ip-address and configure iptables:

[code]
#!/bin/bash
TMPFILE=”/tmp/allow_sshd.tmp”
LOGFILE=”/var/log/allow_sshd.log”
IP=`< ${TMPFILE}` DATE=`date` # timeframe for communications to start: SECONDS="300" LOCKFILE="/tmp/allow_sshd.lck" if [ -s "${TMPFILE}" ] ; then #check for a lock file if [ ! -e "${LOCKFILE}" ] ; then #create the lock file to prevent more than one of these running /bin/touch ${LOCKFILE} #write to the log echo "${DATE}: SSHD started from ${IP}" >> ${LOGFILE}
#remove the temp file
/bin/rm -f ${TMPFILE} > /dev/null 2>&1

iptables -I INPUT -p tcp –dport 22 -s ${IP} -j ACCEPT
#wait SECONDS
sleep ${SECONDS}

iptables -D INPUT -p tcp –dport 22 -s ${IP} -j ACCEPT
#remove the lock file to allow another copy to run
/bin/rm -f ${LOCKFILE}
else
#log multiple copy attempts
echo “${DATE}: SSHD multiple copy attempt!” >> ${LOGFILE}
#remove temp file
/bin/rm -f ${TMPFILE} > /dev/null 2>&1
fi
fi
[/code]

The script needs to run every minute to check for new ip-addresses written to the tmp file, which is accomplished by using a crontab entry:

* * * * * /usr/local/bin/allow-ssh.sh > /dev/null 2>&1

original version:
http://gentoo-wiki.com/TIP_turn_sshd_on_from_php