|reply to Network Guy |
Re: Who keeps their router's SSH port open?
If you leave SSH open to the Internet, then it is possible to get dos'ed if all lines are kept open. You will not be able to login(except via the console).
For SSH its simpler to avoid scans by using the rotary feature to move ssh to a new port other than 22.
Additional security through obscurity is available by using a "knock" rotary configuration for your router. You have to "knock"/authenticate on a given TCP port, and then you can initiate a new SSH session for the next say 60 seconds (dynamic ACL knock entry). This is useful to prevent scan / attack of hosts behind your router that you may want to NAT to ssh/rdp/vnc/whatever to.
ip ssh port 2222 rotary 1
username knock secret 5 $1$whatever
username knock autocommand access-enable host timeout 1
ip access-list extended ACL_PROTECT_WAN_IN
dynamic knock permit tcp any any eq 3389 22 log-input
deny ip any any
I still have the CPU screenshot of what my first attempt at leaving my SSH port open to the world at large looked like,
plus the logfiles to back it up.... fun times indeed.
Wanna give a breakdown of what each line of that config does? Some of the commands I've never seen before.
But it looks interesting...