SSH hacked?

Steve Lamb grey at dmiyu.org
Sun Jan 18 05:38:54 UTC 2009


Knapp wrote:
> No sure what you are typing to say. We are talking about ssh because we
> need it. Sure don't run what you don't need.

    So am I.  Knockd allows you to close off 22 to everyone, only open it up
to select IPs, and here's the catch, the entire world for a limited amount of
time *if needed*.

    It is a port knocking daemon.  To get 22 to even respond you have to hit a
sequence of inactive ports within a limited time frame.  When knockd sees that
sequence it injects an iptables rule which allows everyone into 22 for... 10
seconds.  Then it closes it back down.

    So you need ssh, great!  Do you need it to be accessible from the entire
planet 100% of the time?  If so, then this doesn't apply.  But most of us here
don't run machines on which we run a business that grants shell access.  That
means we can close down SSH to everyone, open it up to select few IPs (mine is
open to 2) and then have knockd as the backup to grant access to the world for
10 seconds so we can get in for the rare few times we need to when not at the
known IPs.

    All of that is before you even get to the password level and trivial to
set up.

-- 
         Steve C. Lamb         | But who can decide what they dream
       PGP Key: 1FC01004       |      and dream I do
-------------------------------+---------------------------------------------

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 260 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20090117/dfeddffd/attachment.pgp>


More information about the ubuntu-users mailing list