dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
share rss forum feed

nosx

join:2004-12-27
00000
kudos:5
reply to jh2010

Re: Who keeps their router's SSH port open?

For SSH its simpler to avoid scans by using the rotary feature to move ssh to a new port other than 22.

Additional security through obscurity is available by using a "knock" rotary configuration for your router. You have to "knock"/authenticate on a given TCP port, and then you can initiate a new SSH session for the next say 60 seconds (dynamic ACL knock entry). This is useful to prevent scan / attack of hosts behind your router that you may want to NAT to ssh/rdp/vnc/whatever to.

ip ssh port 2222 rotary 1
username knock secret 5 $1$whatever
username knock autocommand access-enable host timeout 1
ip access-list extended ACL_PROTECT_WAN_IN
dynamic knock permit tcp any any eq 3389 22 log-input
deny ip any any


HELLFIRE
Premium
join:2009-11-25
kudos:18

@jh2010
I still have the CPU screenshot of what my first attempt at leaving my SSH port open to the world at large looked like,
plus the logfiles to back it up.... fun times indeed.

@nosx
Wanna give a breakdown of what each line of that config does? Some of the commands I've never seen before.
But it looks interesting...

Regards