Last active
June 30, 2016 19:48
-
-
Save petiepooo/74b5534f121bb2a8e3bc to your computer and use it in GitHub Desktop.
/etc/ufw/after.rules patch to allow SSH when "knocking harder"
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- a/after.rules 2012-04-05 13:16:41.000000000 -0500 | |
| +++ b/after.rules 2015-04-02 09:10:19.911426348 -0500 | |
| @@ -13,6 +13,8 @@ | |
| :ufw-after-input - [0:0] | |
| :ufw-after-output - [0:0] | |
| :ufw-after-forward - [0:0] | |
| +# new chain just for knocking connections: after input so user rules take precedence | |
| +:ufw-after-input-ssh - [0:0] | |
| # End required lines | |
| # don't log noisy services by default | |
| @@ -26,5 +28,13 @@ | |
| # don't log noisy broadcast | |
| -A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input | |
| +# allow connections from any source, provided they "knock harder" | |
| +-A ufw-after-input-ssh -m recent ! --rcheck --rsource --name ssh-knock --seconds 4 --hitcount 3 -j RETURN | |
| +-A ufw-after-input-ssh -m recent --remove --rsource --name ssh-knock -j LOG --log-prefix "[UFW SSH KNOCK SUCCESS] " -m limit --limit 3/min --limit-burst 10 | |
| +-A ufw-after-input-ssh -j ACCEPT | |
| + | |
| +# send new SSH connections to the knock chain above | |
| +-A ufw-after-input -p tcp --dport 22 -m state --state NEW -m recent --set --rsource --name ssh-knock -j ufw-after-input-ssh | |
| + | |
| # don't delete the 'COMMIT' line or these rules won't be processed | |
| COMMIT |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment