Every access to your system is a security threat.

Let's focus on ssh (Secure Shell).
Even when there is no know security bug for ssh, hackers might have found a way in which they share (or sell) between them and which hasn't surfaced yet. Even if there is no security bug at all for ssh, access mostly depends on username/password combinations and we all know what a weak system that is, especially when used from untrusted systems.

We can make life a little bit more secure by using a trick.
ssh access is blocked by default using iptables, but by visiting a secret URL on your website ssh access from that ip-address is turned on. You will still need username and password to access the box, but this way portscanners won't detect an ssh server running.

We will need a little script which extracts the ip-address from the computer which accessed the webpage. The script will generate a 404 Error page (and HTTP 404 Error headers to fool the clever hacker):

PLAIN TEXT
PHP:
  1. <?php
  2. #set some variables
  3. $TMPFILE="/tmp/allow_sshd.tmp";
  4. $IP=$_SERVER["REMOTE_ADDR"];
  5.  
  6. #open the file for writing, suppress errors (remove @ to see errors)
  7. if(@$F = fopen("$TMPFILE","w")) {
  8.   #write the ip to the file
  9.   fputs($F,$IP);
  10.   #close the file
  11.   fclose($F);
  12. }
  13. header("HTTP/1.1 404 Not Found");
  14. ?>
  15. <html>
  16. <body>
  17. <html><head>
  18. <title>404 Not Found</title>
  19. </head><body>
  20. <h1>Not Found</h1>
  21. <p>The requested URL /secret-url.php was not found on this server.</p>
  22. <hr>
  23. <address>Apache Server at <a href="mailto:webmaster@yourserver.com">www.yourserver.com</a> Port 80</address>
  24. </body></html>
  25. </body>
  26. </html>

The ip-address is written to a file in /tmp. As you might have noticed, there is no variable passing in the URL (e.g. http://www.yourserver.com/secret-url.php?ip=192.168.10.1 ) because these are potential security loopholes. Also the script itself uses a simple message passing algorithm to get the relevant data (the ip-address) to iptables, this way there is no direct coupling between an global accessable webpage and iptables.

We will use a bash script to read the ip-address and configure iptables:

PLAIN TEXT
CODE:
  1. #!/bin/bash
  2. TMPFILE="/tmp/allow_sshd.tmp"
  3. LOGFILE="/var/log/allow_sshd.log"
  4. IP=`<${TMPFILE}`
  5. DATE=`date`
  6. # timeframe for communications to start:
  7. SECONDS="300"
  8. LOCKFILE="/tmp/allow_sshd.lck"
  9.  
  10. if [ -s "${TMPFILE}" ] ; then
  11.     #check for a lock file
  12.     if [ ! -e "${LOCKFILE}" ] ; then
  13.         #create the lock file to prevent more than one of these running
  14.         /bin/touch ${LOCKFILE}
  15.         #write to the log
  16.         echo "${DATE}: SSHD started from ${IP}">> ${LOGFILE}
  17.         #remove the temp file
  18.         /bin/rm -f ${TMPFILE}> /dev/null 2>&1
  19.  
  20.         iptables -I INPUT -p tcp --dport 22 -s ${IP} -j ACCEPT
  21.         #wait SECONDS
  22.         sleep ${SECONDS}
  23.  
  24.         iptables -D INPUT -p tcp --dport 22 -s ${IP} -j ACCEPT
  25.         #remove the lock file to allow another copy to run
  26.         /bin/rm -f ${LOCKFILE}
  27.     else
  28.         #log multiple copy attempts
  29.         echo "${DATE}: SSHD multiple copy attempt!">> ${LOGFILE}
  30.         #remove temp file
  31.         /bin/rm -f ${TMPFILE}> /dev/null 2>&1
  32.     fi
  33. fi

The script needs to run every minute to check for new ip-addresses written to the tmp file, which is accomplished by using a crontab entry:

* * * * * /usr/local/bin/allow-ssh.sh > /dev/null 2>&1

original version:
http://gentoo-wiki.com/TIP_turn_sshd_on_from_php