Tue, 19 Jun 2001 13:07:38 -0400
On Tue, Jun 19, 2001 at 05:32:29PM +0100, Nigel Morse wrote:
> On my firewall i would like to open SSH so that I can login from home and do
> stuff or use it for tunneling. However i get very nervous about opening
> anything up - especially on my firewall box so I want some logging.
If there is another sshd server behind the firewall then open the firewall
to pass traffic to that host and then have the sshd daemon running on your
firewall on the internal interface and connect to it from inside.
> Leaving aside how much of a bad idea this is I can log packets with the syn
> bit set for connection attempts - and I will know when I attempt this so I
> can eliminate those.
> However I want to distinguish between hackers actually gaining access from
> simple port scans. A simple port scan will send a SYN packet but no more.
> An attempt to log in will have further packets sent. So I could just log any
> packets coming to port 22.
> But, I don't want my logs flooded, so I could use a limit - but then if i'm
> logged in and I get an attack, the attacker's packets may not get logged.
> Therefore is there a way to log the SYN packet, and then the next packet
> inwards associated with that connection but no more?
> Its sort of like an extension to the -m state which will only match for the
> first non-SYN packet of a connection. Can anyone think of a clever way round
> this (or even a non-clever way would do!)