1 |
On Fri, Jan 23, 2009 at 2:33 PM, Alan McKinnon <alan.mckinnon@×××××.com> wrote: |
2 |
> On Friday 23 January 2009 22:22:17 Paul Hartman wrote: |
3 |
>> I essentially want it to work the other way around. Deny access by |
4 |
>> default unless there is an allow rule. I don't think I can do that, |
5 |
>> though. If I put ALL: ALL or sshd: ALL in the hosts.deny file, it will |
6 |
>> deny ME access to my own machine. I don't want that. Since I don't |
7 |
>> have a specific IP i will connect from, I can't allow any specific IP |
8 |
>> (or else I'd be doing it that way already). |
9 |
>> |
10 |
>> How can I accomplish this?: |
11 |
>> |
12 |
>> Allow all ssh connections unless they are in hosts.deny |
13 |
>> Deny all other connections unless they are in hosts.allow |
14 |
> |
15 |
> Have you looked at port knocking? |
16 |
> |
17 |
> It's a complete ball ache to set up and use, far less useful than it seems, |
18 |
> but it might also solve your conundrum. |
19 |
> |
20 |
> A friend once mentioned on a forum that he'd managed to set up static libwrap |
21 |
> rules in hosts.allow|deny for addresses that don't change and additionally |
22 |
> port-knocking for himself to open up port 22 for a few minutes. I don't |
23 |
> recall how he did this, only that he claimed to have done it. |
24 |
|
25 |
I've never tried it but I have always liked the idea. I connect to |
26 |
sshd from linux (my laptop), windows (my work desktop) and symbian (my |
27 |
phone). |
28 |
|
29 |
knockd and the knocking client should be no problem for linux & |
30 |
windows, but for my phone I'd probably have to make one myself. Is it |
31 |
as simple as making a connection to a specific sequence of ports with |
32 |
specific timing? I could probably do that easily in python. Sounds |
33 |
like a project for this weekend. :) |
34 |
|
35 |
thanks, |
36 |
paul |