Jay Leafey wrote: >> >> What I would I like to do is: >> >> - allow 22 from specific IPs >> - allow another port (redirected) from anywhere. this port is then >> redirected to 22. >> > > I do exactly this with a combination of SSH config options and > iptables rules. In your /etc/ssh/sshd_config file, find the "Port 22" > statement and add a "Port" statement for the desired port, something > like: > > <snip> > Port 22 > Port 20022 > Protocol 2 > <snip> > > Then, in iptables, add the appropriate rules to let incoming > connections to port 22 from only specific addresses and to allow port > 20022 (or whatever you pick) to be available worldwide. Assuming you > wanted port 22 access for a local subnet like 192.169.1.0/24, add the > following to the /etc/sysconfig/iptables file before the REJECT > statement at the end of the file: > >> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s >> 192.168.1.0/24 --dport 22 -j ACCEPT >> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport >> 20022 -j ACCEPT > > After restarting SSH and reloading iptables you should have just what > you want. I use this, in addition to blockhosts > (http://www.aczoom.com/cms/blockhosts/), on several production systems > and the result has been almost total elimination of brute-force > attacks. on those systems. > > Another possibility is a variation on port-knocking using PKI > authentication or a shared secret. The project is called fwknop > (http://www.cipherdyne.org/fwknop/) and has the potential to almost > completely eliminate brute-force attacks. > > Essentially, the target port (22 in the case of SSH) is not open at > all normally, but a daemon monitors the network interface for a > specific packet signed using either a shared secret or a > pre-authorized PGP key. When it sees the packet, it opens up the > appropriate port for a specified time (usually just a few seconds) to > the IP address the packet comes from. This allows a very short time > window for the client system to complete its connection before the > port gets closed down. I've set this up on a couple of systems so far > with excellent results. > > Your mileage may vary! I didn't think about adding the port in ssh. Thanks for the hint. I was however looking for a way to implement this without touching sshd ports. After playing a little, I found the following to work iptables -t nat -A PREROUTING -p tcp -m tcp --dport 12345 -j REDIRECT --to-ports 22 iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 12345 -j MARK --set-mark 0x22 iptables -A INPUT -m mark --mark 0x22 -j ACCEPT seems to do it. (12345 is not the real port).