dslreports logo
 
    All Forums Hot Topics Gallery
spc
uniqs
6
meta
join:2004-12-27
00000

meta to jh2010

Member

to jh2010

Re: Who keeps their router's SSH port open?

For SSH its simpler to avoid scans by using the rotary feature to move ssh to a new port other than 22.

Additional security through obscurity is available by using a "knock" rotary configuration for your router. You have to "knock"/authenticate on a given TCP port, and then you can initiate a new SSH session for the next say 60 seconds (dynamic ACL knock entry). This is useful to prevent scan / attack of hosts behind your router that you may want to NAT to ssh/rdp/vnc/whatever to.

ip ssh port 2222 rotary 1
username knock secret 5 $1$whatever
username knock autocommand access-enable host timeout 1
ip access-list extended ACL_PROTECT_WAN_IN
dynamic knock permit tcp any any eq 3389 22 log-input
deny ip any any
HELLFIRE
MVM
join:2009-11-25

HELLFIRE

MVM

@jh2010
I still have the CPU screenshot of what my first attempt at leaving my SSH port open to the world at large looked like,
plus the logfiles to back it up.... fun times indeed.

@nosx
Wanna give a breakdown of what each line of that config does? Some of the commands I've never seen before.
But it looks interesting...

Regards