Protect SSH with IP Authentication

One of the more prevalent attack vectors abused by bad actors is brute force attack against access controls. Coincidently, one of the more effective defensive controls available to administrators is to adopt a deny-all mindset when deploying defensive controls.

One very effective way of doing this with access controls is to block all users by default and whitelist authorized users. Our SSH IPauth service helps streamline this process for administrators.

How SSH IPAuth Works

To help administrators create their own whitelist control list, we created an authentication key pair for your server to authenticate your current IP address to a desired server.

It is divided into 2 parts:

Part Explanation
authentication URL This is used to dynamically capture your local IP. Please bookmark this link.
server Key URL This is used to dynamically pull the new local IP.

The design allows you to deploy a whitelist model on your server. Save the authentication url (e.g.,bookmark in your browser) and use the server key URL to pull the new IP address. This is good if your IP changes a lot but still want to employ a whitelist model (e.g., travel).

How to Use SSH IP Auth

From your NOC dashboard, navigate to the SSH IPauth menu option in the navigation pane.

NOC SSH Authenticaiton Settings

From there, create the user you want to bind an IP to. In my case, I have one for Tony (me), and what you see a unique URL slug (the authentication url) for this user.

In this example, you see the following values for my new user:

Part Explanation
authentication URL
server Key URL

To use, save the authentication URL in your favorite bookmarks, or create a cron job to knock on it every 5 minutes.

Then deploy the server Key URL to your server via a cron job using something like this.

*/5 * * * * ipauthip=`curl -s --max-time 10 | grep "success: ip address:" | cut -d " " -f 4 |grep -Eo "^[0-9\.]+$"`; storedipauth=`cat /var/run/ipauth 2>/dev/null`; if [ ! "x$storedipauth" = "x$ipauthip" ]; then echo "whitelisting new ip: $ipauthip"; /sbin/iptables -I INPUT -s $ipauthip -j ACCEPT; echo $ipauthip > /var/run/ipauth; fi

This assumes you're using something like IPTables for your firewall.

Alternatively, you can deploy it via a shell script like this:

        CURIP=`curl --max-time 5 -s "" | 
        grep "success" | cut -d ":" -f 3 | cut -d "," -f 1`
        rm -f /root/ipt1
        /sbin/iptables -nL > /root/ipt1
        if [ ! "x$CURIP" = "x" ]; then
            grep "ACCEPT" /root/ipt1 |grep "$CURIP" >/dev/null 2>&1
            if [ ! $? = 0 ]; then
            /sbin/iptables -I INPUT --source "$CURIP"  -j ACCEPT -m comment --comment "IPAuth IP: $CURIP"

        rm -f /root/ipt1

And call it via a cron job like this:

# crontab -e
*/2 * * * * /etc/path/to/your/file/

Posted in   Product_Configuration   Feature   Security   SSH     by trunc_team

Improve Your Websites Speed and Security