Re: [tlug] remote access to server

[Darren Cook <darren@example.com>]

One to add to the list of techniques so far, is the use of ipset. We use
this to control access to admin websites. E.g. one of our iptables
entries is:

  -A INPUT -p tcp --dport 443 -m set --match-set myip src -j ACCEPT

I use this manually over ssh. E.g. if I'm at a coffee shop and need to
use an admin page, I will first find out my public ip, then ssh in and
(as root) run:

  ipset add myip 1.2.3.4

In fact, in that example I would actually do:

  ipset add myip 1.2.3.4 timeout 3600


This could be used just as well for ssh whitelisting, by setting up a
dedicated web page, password-protected, where a login from 1.2.3.4 will
automatically run:

  ipset add sship 1.2.3.4 timeout 180

You then have three minutes to ssh in.

Doing this for ssh is on my to-do list, as I am still hoping to find a
ready-made open source package - when it comes to security the rule is
you don't hack your own :-)

Darren

P.S. https://wiki.archlinux.org/index.php/Ipset



-- 
Darren Cook, Software Researcher/Developer
My New Book: Practical Machine Learning with H2O:
  http://shop.oreilly.com/product/0636920053170.do