≡ Menu

port 22

Carry Private SSH RSA / DSA Key For Connection Using Unix / Linux Shell Script

How do I add my RSA or DSA keyfile in shell script itself for the connection so that I need to carry only one file on my USB pen drive instead of $HOME/.ssh/id_rsa file under Unix / Linux operating systems?
[click to continue…]

Linux: Block Port With IPtables

How do I block port number with iptables under Linux operating systems?
[click to continue…]

OpenSSH Hide Version Number From Clients

How do I hide ssh number from clients? When I type the following command it displays server version number to end users:

ssh -v server2.example.com
OpenSSH_5.3p1 Debian-3ubuntu4, OpenSSL 0.9.8k 25 Mar 2009
debug1: Reading configuration data /home/vivek/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to server2.example.com [123.x.y.z] port 22.
debug1: Connection established.
debug1: identity file /home/vivek/.ssh/identity type -1
debug1: identity file /home/vivek/.ssh/id_rsa type 1
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
debug1: identity file /home/vivek/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3
debug1: match: OpenSSH_4.3 pat OpenSSH_4*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu4


telnet server2.example.com 22
Trying 123.x.y.z...
Connected to v.txvip1.
Escape character is '^]'.

Why does OpenSSH server report its version to clients?
[click to continue…]

CentOS SSH Installation And Configuration

How do I install and configure ssh server and client under CentOS Linux operating systems?
[click to continue…]

Monit: Monitor SSHD Server and Auto Restart SSH If It Does Not Respond

Q. How do I monitor my ssh server with monit? How do I restart ssh server if it does not respond or dead due to any issues under Linux?
[click to continue…]

Iptables is not sending LOG to syslog file

Q. I am running SSH/MySQL/Webserver and setup iptables based firewall. But my logs are send to console rather than the system log files. How do make sure that iptables LOG target messages are send to /var/log/messages file?

A. IPTABLES LOG module turns on kernel logging of matching packets. When this option is set for a rule, the Linux kernel will print some information on all matching packets (like most IP header fields) via the kernel log where it can be read with
dmesg or syslogd.

You can configure level of logging with an option called --log-level level. For example, drop and LOG all incoming port 22 TCP, message:
iptables -I OUTPUT -j LOG --log-level crit -p tcp --dport 22

Read man pages of iptables and syslog.conf for more info.

Restrict SSH Access Using tcpd (TCPWrapper) on Linux or Unix

How do I use tcpd on a Linux to restrict ssh access?
[click to continue…]

Restrict ssh access using Iptable

Q. How do I stop or restrict access to my OpenSSH (SSHD) server using Linux iptables based firewall?

A. Linux iptables firewall can be use to block or restrict access to ssh server. Iptables command is used to set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel. However, you can also use tcpd, access control facility for internet services.

Use iptables to Restrict ssh access

Following is simple rule that block all incoming ssh access at port 22
iptables -A INPUT -p tcp -s 0/0 --sport 513:65535 -d --dport 22 -m state --state NEW,ESTABLISHED -j DROP

However in real life you need to use something as follows. Let us assume that your ssh server IP address is, remember ssh server use TCP port 22 for all incoming connection. With iptables you can block all incoming connection at port 22 with following two rules:

iptables -A INPUT -p tcp -s 0/0 --sport 513:65535 -d --dport 22 -m state --state NEW,ESTABLISHED -j DROP
iptables -A OUTPUT -p tcp -s --sport 22 -d 0/0 --dport 513:65535 -m state --state ESTABLISHED -j DROP

If you just want to deny access to group of IPS then you need to add following rules to your script:
for i in $IPS
iptables -A INPUT -p tcp -s 0/0 -s $i --sport 513:65535 -d --dport 22 -m state --state NEW,ESTABLISHED -j DROP
iptables -A OUTPUT -p tcp -s --sport 22 -d $i --dport 513:65535 -m state --state ESTABLISHED -j DROP

Add all of above rules to your iptables firewall shell script (do not type @ shell prompt)

See also: