Minimize sshd log clutter/spam from unauthenticated connections

Carsten Andrich carsten.andrich at tu-ilmenau.de
Sat Jun 10 19:19:01 AEST 2023


On 19.03.23 07:03, Philipp Marek wrote:
> I quite like having a process listen on port 53 and wait for a dns 
> query containing a totp string to grant (temporary) access; that's a 
> 2fa, and doing a "host 123456. my-ip" is easily automated in a shell 
> script as well...

I have to admit, I *really* like the TOTP idea.

For the time being, I've deployed a quasi-knocking KISS solution that 
sends an unencrypted secret via a single UDP packet. Server side is 
realized entirely with nftables:

table inet filter {
     # set of IP addresses that have authenticated via knocking
     set sshauth {
         type ipv4_addr
         size 255
         flags timeout, dynamic
     }

     chain input {
         type filter hook input priority filter; policy drop;

         # SSH knocking with single UDP packet containing unencrypted secret
         udp dport 12345 @ih,0,32 0xdeadbeef add @sshauth { ip saddr timeout 4h } counter
         # alternatively TCP fast open can be used to knock with firewalls that only permit TCP port 22
         tcp dport 22 tcp flags syn @ih,0,32 0xdeadbeef add @sshauth { ip saddr timeout 4h } counter reject with tcp reset

         # accept new SSH connections from IP addresses that have knocked
         ip saddr @sshauth tcp dport 22 ct state new counter accept

         # accept established connections and reject the rest
         ct state { established, related } accept
         meta pkttype unicast ip protocol tcp counter reject with tcp reset
     }
}

For SSH hosts only accessed by a select few of technically experienced 
users that approach has worked like a charm.

Best regards,
Carsten



More information about the openssh-unix-dev mailing list