- Current Pages, up-to-date in December 2020
Automatic ssh blocking
To decrease the likelihood of an intruder making repeated connections and possibly guessing a user's password, our Classic Linux machines will block any IP address making repeated ssh connection attempts.
The blocking of ssh connection attempts occurs based on how often they occur, regardless of whether or not they succeed. If you do several successful ssh logins in a short time, your IP address may still get blocked. Then any further attempts to make a new ssh connection will fail with a timeout. (Any existing ssh session will still remain active. The block only affects new connection attempts.)
To bypass the block simply follow the port knocking instructions below.
Port knocking (see Wikipedia entry) is used to open up a firewall port while you are still outside the firewall. On our network, to connect to any machine with ssh after the firewall on the machine has blocked you, simply make a tcp connection to port 1010 on that machine. You can do this with a telnet, ssh, ftp, or other client (and be sure to specify port 1010). Your connection attempt to port 1010 will fail with an error message, but after this, the destination machine will open up its ssh port to your IP address and allow you to connect.
For example, suppose you make several ssh connections to aqua-new.rahul.net in quick succession, and the firewall on that machine blocks you. Now any further new ssh connections to that machine will time out.
(If you are already logged in via ssh, your current session will remain active.)
To let the firewall know you are not an intruder, you can do port knocking to port 1010 from most Linux, UNIX, OS X, and Windows machines with one of these commands:
telnet aqua-new.rahul.net 1010 ssh -p 1010 aqua-new.rahul.net nc aqua-new.rahul.net 1010
It doesn't matter which of these commands you use. Pick any one, no need to use all three.
These commands try to connect to port 1010 on aqua-new.rahul.net and will immediately fail. However, the firewall on aqua-new.rahul.net will now let you make an ssh connection to aqua-new.rahul.net.
You don't have to use these specific commands. Any tool that makes a tcp connection to port 1010 will unblock you.
The firewall blocking described above will block people on the Internet who try to break into IP addresses picked at random. It will not block somebody who is motivated enough to come to this web page, read these instructions, and then try to break in.
We may revise these port knocking instructions in the future. If the port 1010 procedure does not work in the future, please come back to this page for current port knocking information.
You still need a strong password. The ssh blocking described above is only a first line of defense. You should still be careful to pick a password that is a random string, so that an intruder who makes an ssh connection still cannot log in.
An ssh session if left idle will eventually time out. If you want to keep the session alive, instead of running some arbitrary program at the other end, try giving your ssh client this argument, or something equivalent recognized by your ssh client:
It asks your ssh client to send a keep-alive packet every 4 minutes. Then you don't need to run a useless program on the server.
Also, we support ssh logins using the mosh client, which will automatically recover from lost connections.
Also, you can use screen or tmux, which will let you disconnect and reconnect without losing work.