[{ALLOW view All}]
[{ALLOW edit Markus}]
[{ALLOW view All}]
[{ALLOW edit Markus}]
[{TableOfContents }]
! SSH
Change SSH Port
{{{
> sudo vi /etc/ssh/sshd_config # here is the port
Port xxx # set port here
ListenAddress :: # enable all ipv6
ListenAddress 0.0.0.0 # enable all ipv4
LogLevel DEBUG # change log level like INFO, DEBUG3
AllowUsers <user> # allow only this user
PermitRootLogin prohibit-password # activate to disable root
> sudo vi /etc/ssh/ssh_config # this is general
> cd /etc/ssh/sshd_config.d # check also sub configurations
> sudo systemctl status ssh # check status
> sudo service ssh restart # reload / restart
> sudo /etc/init.d/ssh restart # reload / restart alternative
> sudo netstat -pantWul # check connections
}}}
Check [port ranges|https://datatracker.ietf.org/doc/html/rfc6335#section-6], [Common Ports|https://de.wikipedia.org/wiki/Liste_der_Portnummern]
# System/well known ports: 0-1023
# User or registered ports: 1024-49151 <== use port from here
# Dynamic/private ports: 49152-65535
[Dynamic Dns and Remote ssh and VNC|https://chrisjrob.com/2011/04/05/dynamic-dns-and-remote-ssh-and-vnc/]
Windows
{{{
> ssh 2a02:5a0:4110:f590:4670:d3e6:1234:6547 -p 123 # with custom port
> ssh markus@192.168.188.76 # with username
> ssh pi5backup.v6.rocks -p 31415 ipv6 fe80::7ea5:7cb2:6563:1518 # with source ipv6
}}}
!Automatic updates
{{{
> sudo apt install unattended-upgrades
> sudo dpkg-reconfigure --priority=low unattended-upgrades
}}}
!Brute Force Attacks
Disable IPs on multiple failed 6 logins for 10 minutes
{{{
> sudo apt-get install fail2ban
> sudo vi /etc/fail2ban/jail.conf
}}}
!Logging
{{{
> sudo journalctl -b # since last boot
> sudo journalctl -k | grep netfilter
> sudo journalctl _COMM=sshd
> sudo journalctl --vacuum-time=1d # purge, keep last day
> sudo journalctl --vacuum-size=500M # purge, keep last 500MB
> sudo rm -r /var/log/journal/* # if purging does not help you can erase the whole file and restart
> systemctl restart systemd-journald
}}}
!! Restricting Access from three devices
! 1. Register your home computer (Windows) at a dyndns service to provide the current ipv6, see [dynv6.com|https://dynv6.com]
! 2. Windows: create script (I use python) to set local IP at dynv6
{{{
import socket # determine ipv6
import re # regular expression
import urllib.request # http
dynv6_domain = "your.dynv6.domain"
dynv6_token="your.token"
local_domain = socket.gethostname()
print('Checking DynV6', dynv6_domain, 'against', local_domain)
#ipv6_regex = "^([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}$"
ipv6_regex = "^([0-9a-fA-F]{1,4}:).*$"
##--- get LOCAL address ---
tupel = socket.getaddrinfo(local_domain, None, socket.AF_INET6, flags=socket.AI_CANONNAME)
local_ipv6 = ''
for item in tupel:
if(item[4][0].startswith('2a02')):
#print("item=", item)
local_ipv6 = item[4][0]
break
local_ipv6_valid = False
if re.search(ipv6_regex, local_ipv6):
local_ipv6_valid = True
if(local_ipv6_valid == False):
print("local_ipv6=", local_ipv6, " NOT VALID")
else:
print("local_ipv6=", local_ipv6, " IS VALID")
#--- get dynV6 address ---
tupel = socket.getaddrinfo(dynv6_domain, None, socket.AF_INET6)
dynv6_ipv6 = tupel[0][4][0]
dynv6_ipv6_valid = False
if re.search(ipv6_regex, dynv6_ipv6):
dynv6_ipv6_valid = True
if(dynv6_ipv6_valid == False):
print("dynv6_ipv6=", dynv6_ipv6, " NOT VALID")
else:
print("dynv6_ipv6=", dynv6_ipv6, " IS VALID")
if(not local_ipv6_valid or not dynv6_ipv6_valid):
print("one ipv6 is invalid, skipping update")
else:
if(local_ipv6 == dynv6_ipv6):
print("dynv6 ipv6 is up to date, skipping update")
else:
print("dynv6 differs from local ipv6 => UPDATING...")
url = "https://dynv6.com/api/update?hostname=" + dynv6_domain + "&token=" + dynv6_token + "&ipv6=" + local_ipv6
response = urllib.request.urlopen(url).read()
print(response)
}}}
! 3. Windows: schedule script to run each time the PC is booted, see "Aufgabenplanung" (task scheduler)
I scheduled this batch
{{{
echo off
REM set utf-8
chcp 65001
python "G:\Raspberry PI5 8GB\DynDNS\update_computer.py"
echo:
echo done
pause
}}}
! 4. Raspberry: create and set iptables ruleset, see [Firewall with iptables]
! 5. Raspberry: use python script to query the current ipv6 from dynv6 (Windows) and replace in iptables ruleset
Notes:
* package "python3-iptables" manages legacy ones only, [docu1|https://python-iptables.readthedocs.io/en/latest/examples.html], [docu2|https://ldx.github.io/python-iptables/]
* package "python3-nftables" manages nft tables, [docu|https://ral-arturo.org/2020/11/22/python-nftables-tutorial.html]
* alternatively you can use subprocess.run to call the original system commands (easiest)
{{{
#!/usr/bin/env python
import socket # determine ipv6
import subprocess
def set_dynv6_domain_into_ipv6tables(dynv6_domain, rulenum):
try:
print('------------------------------------------------------------')
print('set dynv6 domain', dynv6_domain, 'into ip6tables at position', rulenum)
tupel = socket.getaddrinfo(dynv6_domain, None, socket.AF_INET6)
# tupel like [(<AddressFamily.AF_INET6: 23>, 0, 0, '', ('2a02:5a0:4110:f590:4670:9876:1345:ee', 8384, 0, 0))]
print("tupel=", tupel)
ipv6=tupel[0][4][0]
print(dynv6_domain + " ipv6=", ipv6)
subprocess.run(["/usr/sbin/ip6tables", "-R", "INPUT", rulenum, "-s", ipv6, "-j", "ACCEPT"])
subprocess.run(["/usr/sbin/ip6tables", "-R", "OUTPUT", rulenum, "-d", ipv6, "-j", "ACCEPT"])
except BaseException:
print('FAILED TO GET', dynv6_domain)
set_dynv6_domain_into_ipv6tables('your.dynv6.domain.no1', '1')
set_dynv6_domain_into_ipv6tables('your.dynv6.domain.no2', '2')
set_dynv6_domain_into_ipv6tables('your.dynv6.domain.no3', '3')
}}}
! 6. Raspberry: schedule the ipv6 update in firewall (ip6tables) via crontab
Run every 5 minutes
{{{
> sudo crontab -u root -e # anything is activated on save automatically
# add following
*/5 * * * * /home/markus/update_ip6tables.py
}}}