[{ALLOW view All}]
[{ALLOW edit Markus}]
[{ALLOW view All}]
[{ALLOW edit Markus}]

[{TableOfContents }]

! Scope
* allow ssh
* enable ipv6 access only 
* enable access only from three computers

Steps:
# register your home computer (Windows) at a dyndns service to provide the current ipv6, see [dynv6.com|https://dynv6.com]
# Windows: create windows batch script to update dynv6
# Windows schedule script to run each time the PC is booted, see "Aufgabenplanung" (task scheduler)
# Raspberry: create and set iptables ruleset
# Raspberry: use python script to query the current ipv6 from dynv6 (Windows) and replace in iptables ruleset
# Raspberry: schedule the ipv6 update in firewall (ip6tables)

! SSH
Change SSH Port
{{{
> sudo vi /etc/ssh/sshd_config    # here is the port
    Port xx x                     # set port here
    ListenAddress ::              # enable all ipv6
    ListenAddress 0.0.0.0         # enable all ipv4    
    LogLevel DEBUG                # change log level like INFO, DEBUG3
    AllowUsers <user>             # allow only this user
    PermitRootLogin prohibit-password   # activate to disable root
> sudo vi /etc/ssh/ssh_config     # this is general
> cd /etc/ssh/sshd_config.d	  # check also sub configurations

> sudo systemctl status ssh       # check status
> sudo service ssh restart        # reload / restart
> sudo /etc/init.d/ssh restart    # reload / restart alternative
> sudo netstat -pantWul           # check connections
}}}
Check [port ranges|https://datatracker.ietf.org/doc/html/rfc6335#section-6]
# System/well known ports: 0-1023
# User or registered ports: 1024-49151    <== use port from here
# Dynamic/private ports: 49152-65535
[Dynamic Dns and Remote ssh and VNC|https://chrisjrob.com/2011/04/05/dynamic-dns-and-remote-ssh-and-vnc/]

Windows
{{{
> ssh 2a02:5a0:4110:f590:4670:d3e6:1234:6547 -p 123                # with custom port
> ssh markus@192.168.188.76                                        # with username
> ssh pi5backup.v6.rocks -p 31415 ipv6 fe80::7ea5:7cb2:6563:1518   # with source ipv6
}}}

!Automatic updates
{{{
> sudo apt install unattended-upgrades
> sudo dpkg-reconfigure --priority=low unattended-upgrades
}}}

!Brute Force Attacks
Disable IPs on multiple failed 6 logins for 10 minutes
{{{
> sudo apt-get install fail2ban
> sudo vi /etc/fail2ban/jail.conf
}}}

!Logging
{{{
> sudo journalctl -b  # since last boot
> sudo journalctl -k | grep netfilter
> sudo journalctl _COMM=sshd
> sudo journalctl --vacuum-time=1d        # purge, keep last day
> sudo journalctl --vacuum-size=500M      # purge, keep last 500MB 
> sudo rm -r /var/log/journal/*           # if purging does not help you can erase the whole file and restart
> systemctl restart systemd-journald
}}}

!2. Windows batch script to update dynv6 service
{{{
REM update_dynv6.bat

REM set utf-8
chcp 65001      

echo off
set domain=<your.domain.here>
set token=<youtTokenHere>

echo ---- check and update local ipv6 address at dynv6.com for %domain% ----

rem ping -n 1 -6 %domain%
for /F "tokens=3" %%i in ('"ping -n 1 -6 %domain% | findstr Antwort"')  do set dynv6_ipv6=%%i
rem cut last colon, example 2a02:5a0:4110:f590:29f6:40ba:51b4:b4da:
set dynv6_ipv6=%dynv6_ipv6:~0,-1%
echo dynv6 ipv6= %dynv6_ipv6%

rem ipconfig
rem echo ---------- extracting Temporäre IPv6-Adresse ----------
for /F "tokens=9" %%i in ('"ipconfig | findstr Temp | findstr 2a02"')  do set local_ipv6=%%i
echo local ipv6= %local_ipv6%

if %local_ipv6% == %dynv6_ipv6% (
    echo ipv6 at dynv6 is up to date, update skipped
) else (
    set url="https://dynv6.com/api/update?hostname=%domain%^&token=%token%&ipv6=%ipv6%"
    ECHO updating IPv6
    curl "%url%"   
)

echo:
echo done
pause
}}}

! iptables
{{{
> sudo ip6tables -nvL --line-numbers -L 
}}}
See my general ruleset at [Firewall with iptables] 

!! Python
* package "python3-iptables" manages legacy ones only, [docu1|https://python-iptables.readthedocs.io/en/latest/examples.html], [docu2|https://ldx.github.io/python-iptables/]
* package "python3-nftables" manages nft tables, [docu|https://ral-arturo.org/2020/11/22/python-nftables-tutorial.html]
* alternatively you can use subprocess.run to call the original system commands

! 5. subprocess
{{{
#!/usr/bin/env python
import socket   # determine ipv6
import subprocess

tupel = socket.getaddrinfo('your.pc.com', None, socket.AF_INET6)
# tupel like [(<AddressFamily.AF_INET6: 23>, 0, 0, '', ('2a02:5a0:4110:f590:4670:d3e6:f2bc:ee', 8384, 0, 0))]
print("tupel=", tupel)

ipv6=tupel[0][4][0]
print("ipv6=", ipv6)

subprocess.run(["/usr/sbin/ip6tables", "-R", "INPUT", "1", "-s", ipv6, "-j", "ACCEPT"])
subprocess.run(["/usr/sbin/ip6tables", "-R", "OUTPUT", "1", "-d", ipv6, "-j", "ACCEPT"])
}}}

! 6. Schedule script with crontab

Run every 5 minutes
{{{
> sudo crontab -u root -e    # anything is activated on save automatically
# add following
*/5 * * * * /home/markus/update_ip6tables.py
}}}