Restrict access to ssh server somehow to device
Clash Royale CLAN TAG#URR8PPP
up vote
2
down vote
favorite
here is my setup:
laptop <-USBThetering-> mobile phone <-4g internet-> ... homeADSLrouter <-LAN-> server
- Laptop's IP is 192.168.x.x
- mobilephone internal IP is 192.168.x.y
- mobilephone external IP is .... changes every time
- homeADSLrouter external IP is variable also (though dyndns is used to update a specific host to point to that IP)
- homeADSLrouter has ability to let though ssh traffic and redirect it to server
- server has sshd server running listening on normal port
As the mobile phone's external IP changes every time, is there some mechanism still to restrict access to ssh port on the homeADSLrouter perhaps that is not based on IP but some other mechanism on top, rather than allowing all the world to be able to connect to ssh server (of course user/passwd is still a restriction but I'd prefer a little more)
ssh
asked Jun 21 at 9:30
MMM
285134
add a comment |Â
up vote
2
down vote
favorite
here is my setup:
laptop <-USBThetering-> mobile phone <-4g internet-> ... homeADSLrouter <-LAN-> server
- Laptop's IP is 192.168.x.x
- mobilephone internal IP is 192.168.x.y
- mobilephone external IP is .... changes every time
- homeADSLrouter external IP is variable also (though dyndns is used to update a specific host to point to that IP)
- homeADSLrouter has ability to let though ssh traffic and redirect it to server
- server has sshd server running listening on normal port
As the mobile phone's external IP changes every time, is there some mechanism still to restrict access to ssh port on the homeADSLrouter perhaps that is not based on IP but some other mechanism on top, rather than allowing all the world to be able to connect to ssh server (of course user/passwd is still a restriction but I'd prefer a little more)
ssh
asked Jun 21 at 9:30
MMM
285134
2
Change the default tcp port 22 to something else.
– Ipor Sircer
Jun 21 at 9:35
yep, that's simple enough:-)
– MMM
Jun 21 at 10:09
4
Generate a SSH key pair for the server. Disable root logins over SSH. Disable password authentication over SSH. Now anybody who connects will be asked to present a valid key and the connection will be dropped immediately when they cannot do it; many simple-minded hacking scripts will actually drop the connection themselves when the server says that only public key-based authentication is allowed.
– AlexP
Jun 21 at 11:22
add a comment |Â
up vote
2
down vote
favorite
up vote
2
down vote
favorite
here is my setup:
laptop <-USBThetering-> mobile phone <-4g internet-> ... homeADSLrouter <-LAN-> server
- Laptop's IP is 192.168.x.x
- mobilephone internal IP is 192.168.x.y
- mobilephone external IP is .... changes every time
- homeADSLrouter external IP is variable also (though dyndns is used to update a specific host to point to that IP)
- homeADSLrouter has ability to let though ssh traffic and redirect it to server
- server has sshd server running listening on normal port
As the mobile phone's external IP changes every time, is there some mechanism still to restrict access to ssh port on the homeADSLrouter perhaps that is not based on IP but some other mechanism on top, rather than allowing all the world to be able to connect to ssh server (of course user/passwd is still a restriction but I'd prefer a little more)
ssh
asked Jun 21 at 9:30
MMM
285134
here is my setup:
laptop <-USBThetering-> mobile phone <-4g internet-> ... homeADSLrouter <-LAN-> server
- Laptop's IP is 192.168.x.x
- mobilephone internal IP is 192.168.x.y
- mobilephone external IP is .... changes every time
- homeADSLrouter external IP is variable also (though dyndns is used to update a specific host to point to that IP)
- homeADSLrouter has ability to let though ssh traffic and redirect it to server
- server has sshd server running listening on normal port
As the mobile phone's external IP changes every time, is there some mechanism still to restrict access to ssh port on the homeADSLrouter perhaps that is not based on IP but some other mechanism on top, rather than allowing all the world to be able to connect to ssh server (of course user/passwd is still a restriction but I'd prefer a little more)
ssh
asked Jun 21 at 9:30
MMM
285134
asked Jun 21 at 9:30
MMM
285134
asked Jun 21 at 9:30
MMM
285134
asked Jun 21 at 9:30
MMM
285134
285134
2
Change the default tcp port 22 to something else.
– Ipor Sircer
Jun 21 at 9:35
yep, that's simple enough:-)
– MMM
Jun 21 at 10:09
4
Generate a SSH key pair for the server. Disable root logins over SSH. Disable password authentication over SSH. Now anybody who connects will be asked to present a valid key and the connection will be dropped immediately when they cannot do it; many simple-minded hacking scripts will actually drop the connection themselves when the server says that only public key-based authentication is allowed.
– AlexP
Jun 21 at 11:22
add a comment |Â
2
Change the default tcp port 22 to something else.
– Ipor Sircer
Jun 21 at 9:35
yep, that's simple enough:-)
– MMM
Jun 21 at 10:09
4
Generate a SSH key pair for the server. Disable root logins over SSH. Disable password authentication over SSH. Now anybody who connects will be asked to present a valid key and the connection will be dropped immediately when they cannot do it; many simple-minded hacking scripts will actually drop the connection themselves when the server says that only public key-based authentication is allowed.
– AlexP
Jun 21 at 11:22
2
2
Change the default tcp port 22 to something else.
– Ipor Sircer
Jun 21 at 9:35
Change the default tcp port 22 to something else.
– Ipor Sircer
Jun 21 at 9:35
yep, that's simple enough:-)
– MMM
Jun 21 at 10:09
yep, that's simple enough:-)
– MMM
Jun 21 at 10:09
4
4
Generate a SSH key pair for the server. Disable root logins over SSH. Disable password authentication over SSH. Now anybody who connects will be asked to present a valid key and the connection will be dropped immediately when they cannot do it; many simple-minded hacking scripts will actually drop the connection themselves when the server says that only public key-based authentication is allowed.
– AlexP
Jun 21 at 11:22
Generate a SSH key pair for the server. Disable root logins over SSH. Disable password authentication over SSH. Now anybody who connects will be asked to present a valid key and the connection will be dropped immediately when they cannot do it; many simple-minded hacking scripts will actually drop the connection themselves when the server says that only public key-based authentication is allowed.
– AlexP
Jun 21 at 11:22
add a comment |Â
2 Answers
2
active
oldest
votes
up vote
0
down vote
accepted
If you are looking to secure your ssh, as Alex P mentioned, it is good to disable root for ssh and if possible just use ssh key logins instead. You might also consider installing fail2ban, which will ban any ip that has a certain number of failed login attempts.
answered Jun 21 at 13:35
nobody
586
add a comment |Â
up vote
1
down vote
You could install knockd and configure port knocking. You'd have to connect to port X Y Z before 22 opens up.
answered Jun 21 at 13:26
Joe M
5964
add a comment |Â
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
0
down vote
accepted
If you are looking to secure your ssh, as Alex P mentioned, it is good to disable root for ssh and if possible just use ssh key logins instead. You might also consider installing fail2ban, which will ban any ip that has a certain number of failed login attempts.
answered Jun 21 at 13:35
nobody
586
add a comment |Â
up vote
0
down vote
accepted
If you are looking to secure your ssh, as Alex P mentioned, it is good to disable root for ssh and if possible just use ssh key logins instead. You might also consider installing fail2ban, which will ban any ip that has a certain number of failed login attempts.
answered Jun 21 at 13:35
nobody
586
add a comment |Â
up vote
0
down vote
accepted
up vote
0
down vote
accepted
If you are looking to secure your ssh, as Alex P mentioned, it is good to disable root for ssh and if possible just use ssh key logins instead. You might also consider installing fail2ban, which will ban any ip that has a certain number of failed login attempts.
answered Jun 21 at 13:35
nobody
586
If you are looking to secure your ssh, as Alex P mentioned, it is good to disable root for ssh and if possible just use ssh key logins instead. You might also consider installing fail2ban, which will ban any ip that has a certain number of failed login attempts.
answered Jun 21 at 13:35
nobody
586
answered Jun 21 at 13:35
nobody
586
answered Jun 21 at 13:35
nobody
586
answered Jun 21 at 13:35
nobody
586
586
add a comment |Â
add a comment |Â
up vote
1
down vote
You could install knockd and configure port knocking. You'd have to connect to port X Y Z before 22 opens up.
answered Jun 21 at 13:26
Joe M
5964
add a comment |Â
up vote
1
down vote
You could install knockd and configure port knocking. You'd have to connect to port X Y Z before 22 opens up.
answered Jun 21 at 13:26
Joe M
5964
add a comment |Â
up vote
1
down vote
up vote
1
down vote
You could install knockd and configure port knocking. You'd have to connect to port X Y Z before 22 opens up.
answered Jun 21 at 13:26
Joe M
5964
You could install knockd and configure port knocking. You'd have to connect to port X Y Z before 22 opens up.
answered Jun 21 at 13:26
Joe M
5964
answered Jun 21 at 13:26
Joe M
5964
answered Jun 21 at 13:26
Joe M
5964
answered Jun 21 at 13:26
Joe M
5964
5964
add a comment |Â
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f451054%2frestrict-access-to-ssh-server-somehow-to-device%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
2
Change the default tcp port 22 to something else.
– Ipor Sircer
Jun 21 at 9:35
yep, that's simple enough:-)
– MMM
Jun 21 at 10:09
4
Generate a SSH key pair for the server. Disable root logins over SSH. Disable password authentication over SSH. Now anybody who connects will be asked to present a valid key and the connection will be dropped immediately when they cannot do it; many simple-minded hacking scripts will actually drop the connection themselves when the server says that only public key-based authentication is allowed.
– AlexP
Jun 21 at 11:22