Limited SSH Access
While it may be nice to be able to ssh into your system from arbitrary locations on the internet, there are automated password attack systems which will lock onto an open ssh port and apply various joe account
and dictionary attacks against your system. This can be aggrevating to read in your nightly log summary and is a waste of your bandwidth.
If you have a web server on the same system, you can use php and tcp wrappers to restrict ssh inbound traffic to known systems, plus give you a back-door key to permit yourself access from arbitrary systems on the internet.
Here's how you do it:
- deny all ssh connections in /etc/hosts.deny:
# /etc/hosts.deny fragment
- Allow known systems by IP in /etc/hosts.allow, plus add a file for temporary access:
# /etc/hosts.allow fragment
sshd: 10.0.10.2 # some system
sshd: 22.214.171.124 # some other system
- Create a php file in your web server and give it a non-obvious name like my-sshd-access.php:
fclose($lfp);print "Wrote: ";
Forgive the php code -- I swiped it from somewhere else, so it could probably stand to be cleaned up a whole bunch. All it does is add the IP address of the system accessing it to the /etc/hosts.allow.temporary-sshd-access file, which is read by sshd (due to its inclusion by /etc/hosts.allow) at connection time.
Now when you are at some arbitrary system on the web and want to ssh to this system, first use a web browser and hit this file (or use wget or equivilent):
Now you should be able to ssh in to your system. If this is somewhere you will likely be ssh'ing in from frequently, it would be trivial to read the contents of the /etc/hosts.allow.temporary-sshd-access file and permanently add the IP address to /etc/hosts.allow.