For When You Can't Have The Real Thing
[ start | index | login ]
start > Linux > Limited SSH Access

Limited SSH Access

Created by dave. Last edited by dave, 13 years and 149 days ago. Viewed 9,858 times. #3
[diff] [history] [edit] [rdf]

Limited SSH Access

While it may be nice to be able to ssh into your system from arbitrary locations on the internet, there are automated password attack systems which will lock onto an open ssh port and apply various joe account and dictionary attacks against your system. This can be aggrevating to read in your nightly log summary and is a waste of your bandwidth.

If you have a web server on the same system, you can use php and tcp wrappers to restrict ssh inbound traffic to known systems, plus give you a back-door key to permit yourself access from arbitrary systems on the internet.

Here's how you do it:

  • deny all ssh connections in /etc/hosts.deny:
# /etc/hosts.deny fragment
sshd:  all
  • Allow known systems by IP in /etc/hosts.allow, plus add a file for temporary access:
# /etc/hosts.allow fragment
sshd:     # some system
sshd:  # some other system
sshd:  /etc/hosts.allow.temporary-sshd-access
  • Create a php file in your web server and give it a non-obvious name like my-sshd-access.php:

function get_ip() { return getenv("REMOTE_ADDR"); }


<?php $out='/etc/hosts.allow.temporary-sshd-access'; $log='/var/log/sshd-access-addition-log';

print "Was:"; readfile($out); print "<br>"; $ip=get_ip(); $fp=fopen($out,"w"); fputs($fp,$ip); fclose($fp);

$lfp=fopen($log,"a"); fputs($lfp,$ip); fputs($lfp,"n"); fclose($lfp);

print "Wrote: "; readfile($out); ?>

Forgive the php code -- I swiped it from somewhere else, so it could probably stand to be cleaned up a whole bunch. All it does is add the IP address of the system accessing it to the /etc/hosts.allow.temporary-sshd-access file, which is read by sshd (due to its inclusion by /etc/hosts.allow) at connection time.

Now when you are at some arbitrary system on the web and want to ssh to this system, first use a web browser and hit this file (or use wget or equivilent):

Now you should be able to ssh in to your system. If this is somewhere you will likely be ssh'ing in from frequently, it would be trivial to read the contents of the /etc/hosts.allow.temporary-sshd-access file and permanently add the IP address to /etc/hosts.allow.

no comments | post comment
This is a collection of techical information, much of it learned the hard way. Consider it a lab book or a /info directory. I doubt much of it will be of use to anyone else.

Useful: | Copyright 2000-2002 Matthias L. Jugel and Stephan J. Schmidt