Minimize sshd log clutter/spam from unauthenticated connections
Carsten Andrich
carsten.andrich at tu-ilmenau.de
Sat Jun 10 19:19:01 AEST 2023
On 19.03.23 07:03, Philipp Marek wrote:
> I quite like having a process listen on port 53 and wait for a dns
> query containing a totp string to grant (temporary) access; that's a
> 2fa, and doing a "host 123456. my-ip" is easily automated in a shell
> script as well...
I have to admit, I *really* like the TOTP idea.
For the time being, I've deployed a quasi-knocking KISS solution that
sends an unencrypted secret via a single UDP packet. Server side is
realized entirely with nftables:
table inet filter {
# set of IP addresses that have authenticated via knocking
set sshauth {
type ipv4_addr
size 255
flags timeout, dynamic
}
chain input {
type filter hook input priority filter; policy drop;
# SSH knocking with single UDP packet containing unencrypted secret
udp dport 12345 @ih,0,32 0xdeadbeef add @sshauth { ip saddr timeout 4h } counter
# alternatively TCP fast open can be used to knock with firewalls that only permit TCP port 22
tcp dport 22 tcp flags syn @ih,0,32 0xdeadbeef add @sshauth { ip saddr timeout 4h } counter reject with tcp reset
# accept new SSH connections from IP addresses that have knocked
ip saddr @sshauth tcp dport 22 ct state new counter accept
# accept established connections and reject the rest
ct state { established, related } accept
meta pkttype unicast ip protocol tcp counter reject with tcp reset
}
}
For SSH hosts only accessed by a select few of technically experienced
users that approach has worked like a charm.
Best regards,
Carsten
More information about the openssh-unix-dev
mailing list