SSH Restrictions

Automatic ssh blocking

Almost all user-accessible machines on our network allow ssh logins. To decrease the likelihood of an intruder making repeated connections and possibly guessing a user's password, our machines will block any IP address making repeated ssh connection attempts.

The blocking of ssh connection attempts occurs based on how often they occur, regardless of whether or not they succeed. If you do several successful ssh logins in a short time, your IP address may still get blocked. Then any further attempts to make a new ssh connection will fail with a timeout. (Any existing ssh session will still remain active. The block only affects new connection attempts.)

To bypass the block simply follow the port knocking instructions below.

Port Knocking

Port knocking (see Wikipedia entry) is used to open up a firewall port while you are still outside the firewall. On our network, to connect to any machine with ssh after the firewall on the machine has blocked you, simply make a tcp connection to port 1010 on that machine. You can do this with a telnet, ssh, ftp, or other client (and be sure to specify port 1010). Your connection attempt to port 1010 will fail with an error message, but after this, the destination machine will open up its ssh port to your IP address and allow you to connect.

For example, suppose you make several ssh connections to oxygen.rahul.net in quick succession, and the firewall on that machine blocks you. Now any further new ssh connections to that machine will time out.

(If you are already logged in via ssh, your current session will remain active.)

To let the firewall know you are not an intruder, you can do port knocking to port 1010 from most Linux, UNIX, and Windows machines like this:

  telnet oxygen.rahul.net 1010

This tries to connect to port 1010 on oxygen.rahul.net and immediately fails. However, the firewall on oxygen.rahul.net will now let you make an ssh connection to oxygen.rahul.net.

You don't have to use telnet. Any tool that makes a tcp connection to port 1010 will unblock you.

The firewall blocking described above will block people on the Internet who try to break into IP addresses picked at random. It will not block somebody who is motivated enough to come to this web page, read these instructions, and then try to break in.

We may revise these port knocking instructions in the future. If the port 1010 procedure does not work in the future, please come back to this page for current port knocking information.

You still need a strong password. The ssh blocking described above is only a first line of defense. You should still be careful to pick a hard-to-guess password not in any dictionary, so that an intruder who makes an ssh connection still cannot log in.

Note. If you connect to the virtual fault-tolerant front-end ssh.rahul.net (see: Classic Linux) you may have to do port knocking more than once before the firewall lets you in. Also, while you are logged in via ssh to ssh.rahul.net, if your session seems to hang, try opening a new window and doing the port knocking again once or twice.

 
security/ssh_restrictions.txt · Last modified: 2010-09-20 18:17 by admin
 
Recent changes RSS feed Creative Commons License Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki