Controlling port blocking with web interface

I get many malicious login attempts to my ssh server every day. They
show up in my logs and annoy me. I know I could turn off the logging
and just ensure that my passwords are not in a dictionary. But I would
rather completely block the ssh port for everyone except a select few
IP addresses or ranges.

When I travel I would like to allow specific IPs without knowing them
in advance. The best solution I could think of so far is to control
everything through the web server on the same machine. I should be able
to go to a specific page, enter the IP address I want to allow and then
be able to log in via ssh.

Is there any software out there that can accomplish what I'm looking
for? Is there maybe even a better solution?

Thanks!

Nathan

On 16 Jan 2006, in the Usenet newsgroup comp.os.linux.networking, in article
<(E-Mail Removed) .com>, Nathan Funk wrote:

>I get many malicious login attempts to my ssh server every day. They
>show up in my logs and annoy me. I know I could turn off the logging
>and just ensure that my passwords are not in a dictionary.

Not just "not in a dictionary" but also mixed case, and contains one
or more numbers and punctuation. However another good idea is a
non-standard username (used to be, we'd use 'firstname,last_initial' or
first_initial,last_name, or similar for usernames, and use a random
number generator to get an initial password - now, it's head -2 /dev/random
piped into mimencode to get username _AND_ password). There's no reason
for the username to be something obvious (and unsafe) like 'root'.

>When I travel I would like to allow specific IPs without knowing them
>in advance. The best solution I could think of so far is to control
>everything through the web server on the same machine. I should be able
>to go to a specific page, enter the IP address I want to allow and then
>be able to log in via ssh.

Wowser, you're jumping out of the frying pan right into the fire. Web
pages are REALLY not secure.

>Is there any software out there that can accomplish what I'm looking
>for? Is there maybe even a better solution?

1. Don't run your SSHD on the "standard" port (22), but move it off into
the unexplored boonies - pick a number between 1 and 65535 - ANYTHING other
than the obvious ones (and that includes such l33t skript kiddiez numbers
like 12345, 54321, 7337, 55555, and so on). Avoid "normal" ports - more and
more ISPs are blocking port 25 to reduce zombie spam. Recall than many scan
tools like nmap default to looking at ports 1-1024 - so they're less than
desirable.

2. Port knocking. You have to (try to) connect to some specific closed
port on your server, which then causes another port to open for a period.
There was a recent thread on one of the Linux newsgroups, complete with
example firewall rules to accomplish this, but a quick google search fails
to turn it up. This works best in combination with "non-standard" ports. Try
http://www.portknocking.org/, http://www.linuxjournal.com/article/6811, and
http://www.tummy.com/journals/entrie...0050716_152920 for further hints.

3. Blanket firewall rules - to close access from ranges that you are not
likely to need. Everyone picks on Asia and Central/South America as being
places to block, well - here are a couple ranges that might be an example:
58.0.0.0/7, 60.0.0.0/7, 120.0.0.0/5, 189.0.0.0/8, 190.0.0.0/8, 200.0.0.0/6,
210.0.0.0/7, 218.0.0.0/7, 220.0.0.0/6. What's that, nine rules? It
will result in blocking a lot of APNIC and LACNIC (but let me stress this,
NOT ALL). Six more similar sized rules, and you can piss off a lot of people
in Europe. Collateral damage? Wazzat? See
http://www.iana.org/assignments/ipv4-address-space for guesses at this scale
of block.

Old guy

On Tue, 17 Jan 2006 18:52:00 -0600, (E-Mail Removed) (Moe Trin) wrote:

> 220.0.0.0/6.
....
> Collateral damage? Wazzat?

Consider me collaterally damaged Some of 220.0.0.0/6 is .au

Most saddened when you lump a lad from down under with the Asian
spammers

Grant.
--
WinXP: Access Start->Turn Off Computer, then while holding
Ctrl-Alt-Shift, left click on Cancel. This kills Windows
Explorer.

On Wed, 18 Jan 2006, in the Usenet newsgroup comp.os.linux.networking, in
article <(E-Mail Removed)>, Grant wrote:

>(Moe Trin) wrote:

>> 220.0.0.0/6.
>...
>> Collateral damage? Wazzat?
>
>Consider me collaterally damaged Some of 220.0.0.0/6 is .au

[compton ~]$ grep AU IP.ADDR/stats/A[PR]* | grep ' 22[0-3]\.[0-9]' | cut
-d' ' -f2,3 | column
220.101.0.0 255.255.128.0 220.240.0.0 255.255.0.0
220.101.128.0 255.255.192.0 220.244.0.0 255.255.0.0
220.157.64.0 255.255.224.0 220.245.0.0 255.255.0.0
220.233.0.0 255.255.128.0 220.253.0.0 255.255.128.0
220.233.128.0 255.255.128.0 220.253.128.0 255.255.192.0
220.235.0.0 255.255.128.0 221.120.128.0 255.255.224.0
220.235.128.0 255.255.128.0 221.120.160.0 255.255.240.0
220.236.0.0 255.255.0.0 221.121.64.0 255.255.224.0
220.237.0.0 255.255.0.0 221.121.128.0 255.255.224.0
220.238.0.0 255.255.0.0 221.133.192.0 255.255.224.0
220.239.0.0 255.255.0.0
[compton ~]$

Yup - I'm aware of that. In fact,

[compton ~]$ grep -h ' 22[0-3]\.[0-9]' IP.ADDR/stats/[ALR]* | cut -d' ' -f1
| sort -u | column
AU HK IN KR NZ SG TW
CN ID JP LK PH TH VN
[compton ~]$

This really is why I'm constantly telling people that such broad filtering
rules won't work. IP addresses are not allocated like postal codes. APNIC
which allocates address space in the Asia Pacific region actually covers
from Afghanistan East-about to Pitcairn Island, from Mongolia to Tasmania.
However, ARIN has a few blocks in that area, and APNIC also has a few in
countries out of that area (last I checked, CH, GB, and US were not part
of Asia, though Hawaii and Alaska are "in" the Pacific).

>Most saddened when you lump a lad from down under with the Asian
>spammers

Well, you guys wanted to be independent of the mother-country ;-) But
then, if the old Empire were still considered a registration "country",
there would still be problems. And it won't get any better when IPv6
becomes the standard. Oz is still being issued out of APNIC (which is in
Brisbane after all), and no one is making the effort to group countries
into "convenient" blocks of IP addresses.

Old guy

Thanks Moe and Grant. Thanks for the extensive list of options. I had
considered moving sshd to a different port but was afraid it might
cause problems with certain other programs that I use. But I think for
now it's the best option - if I run into problems I'll try something
else.

Thanks guys,

Nathan