On May 16, 2008, at 09:56, Tom Buskey wrote: > Harder: > port knocking
If you can live with simple port knocking, it's just this hard: -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -m recent --rcheck --name SSH -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 1775 -m recent --name SSH --remove -j DROP -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 1776 -m recent --name SSH --set -j DROP -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 1777 -m recent --name SSH --remove -j DROP Lines 2 and 4 are unnecessary if you're not concerned with sequential port scanners. Then just setup your remote access device (e.g. a palm with pssh in my last non-scriptable case) with two profiles, one for 1776 and one for 22 that you execute in series. In the scriptable case (e.g. n810): ~/bin/sshlib: #!/bin/sh /usr/bin/nc -w 1 liberty.gnhlug.org 1776 /usr/bin/ssh -c blowfish -X -C liberty.gnhlug.org Heck, it wouldn't surprise me if ssh could pre-launch a script on a per-machine config with a variable such that one could genericize the above. -Bill ----- Bill McGonigle, Owner Work: 603.448.4440 BFC Computing, LLC Home: 603.448.1668 [EMAIL PROTECTED] Cell: 603.252.2606 http://www.bfccomputing.com/ Page: 603.442.1833 Blog: http://blog.bfccomputing.com/ VCard: http://bfccomputing.com/vcard/bill.vcf _______________________________________________ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/