Remote to open SSH port temporarily
Nux servers, we are typically remotely managed via the SSH channel, which requires us to open SSH ports, such as 22. But open ports have the risk of being violently cracked, and you would say that you can set complex passwords or use certificates to avoid them. Even if the password can not be cracked, but OpenSSH may also have a loophole, you would say that you could change the SSH port, but it is still possible to be scanned out. There is also a choice, we can only specify IP access SSH, through the VPN login Management Server, but the limitations are obvious, in case of emergency VPN login does not go up. Here is a personal feeling more satisfied with the solution, that is, the use of iptables recent module, temporarily open the SSH port through the show. Of course, the case needs to be kept in good control to prevent leakage.
1. Iptables Rule Setting
The #指定78字节的icmp数据包 (containing 20 bytes of IP headers, ICMP Head 8 bytes) is added to the Sshopen list.
The code is as follows:
Iptables-a input-p ICMP--icmp-type 8-m length--length 78-m recent--set--name sshopen--rsource-j ACCEPT
#检查sshopen列表是否存在你的来源IP, if present, the SSH Port 22 is opened 15 seconds from the first use of the set, the port is automatically closed for more than 15 seconds, no new connections are allowed, and the connected is not disconnected.
The code is as follows:
Iptables-a input-p TCP--dport--syn-m recent--rcheck--seconds--name sshopen--rsource-j
2, temporarily open the SSH port
Linux under:
The code is as follows:
Ping-s Host
3, I currently use the Iptables rules
The code is as follows:
-A input-m state--state related,established-j ACCEPT
-A input-p tcp-m tcp--dport 80-j ACCEPT
-A input-p tcp-m tcp--dport 443-j ACCEPT
-A input-p tcp-m tcp--dport 123-j ACCEPT
-A input-p icmp-m ICMP--icmp-type 8-m length--length 50-m recent--set--name sshopen--rsource-j ACCEPT
-A input-p tcp-m TCP--dport--syn-m recent--rcheck--seconds--name sshopen--rsource-j ACCEPT
-A input-i lo-j ACCEPT
-A input-p icmp-m ICMP--icmp-type 8-j ACCEPT
-A input-p icmp-m ICMP--icmp-type 11-j ACCEPT
-A output-m state--state related,established-j ACCEPT
-A output-o lo-j ACCEPT
-A output-p tcp-m tcp--dport 80-j ACCEPT
-A output-p tcp-m tcp--dport 443-j ACCEPT
-A output-p icmp-m ICMP--icmp-type 8-j ACCEPT
-A output-p icmp-m ICMP--icmp-type 11-j ACCEPT
To change the SSH user root directory using Jailkit chroot
Install Jailkit
The code is as follows:
Cd/tmp
wget http://olivier.sessink.nl/jailkit/jailkit-2.16.tar.gz
Tar xzf jailkit-2.16.tar.gz
CD jailkit-2.16
./configure
Make
Make install
CP Extra/jailkit/etc/init.d/jailkit
chmod U+x/etc/init.d/jailkit
Chkconfig Jailkit on
Initializing chroot Environment
The code is as follows:
Jk_init-v-j/home/chroot sftp SCP jk_lsh netutils Extendedshell
Service Jailkit Start
New Www.jb51.net User
The code is as follows:
Useradd www.jb51.net-m
echo Www.jb51.net:password | chpasswd
Chroot users
The code is as follows:
Jk_jailuser-m-n-j/home/chroot--shell=/bin/bash www.jb51.net