[TriLUG] bad address list
Alan Porter
porter at trilug.org
Thu Jan 28 17:22:55 EST 2010
There's a nice utility called "knock" that implements a special
iptables rule that can be turned on and off by "port knocking".
The knock server listens on several ports (you define them) for
a sequence of connections. If the combination is right, it opens
up the iptables rule for the service that you're blocking.
The knock client can be run to automate the process of knocking
before running the real application client. The SSH config file
can easily be configured to run the port knocking client before
attempting to connect to a given server.
It's very slick. And when the guard is up, you should receive
NO unauthorized connection attempts.
Personally, I don't go that far. I just use SSH keys. These are
the magic lines to add to sshd_config:
> PasswordAuthentication no # "user at machine's password:"
> ChallengeResponseAuthentication no # "Password:"
> PubKeyAuthentication yes # keys are OK
Alan
.
More information about the TriLUG
mailing list