Scope#
- allow ssh
- enable ipv6 access only
- enable access only from three computers
Steps:
- register your home computer (Windows) at a dyndns service to provide the current ipv6, see dynv6.com
- Windows: create windows batch script to update dynv6
- Windows schedule script to run each time the PC is booted, see "Aufgabenplanung" (task scheduler)
- Raspberry: create and set iptables ruleset
- Raspberry: use python script to query the current ipv6 from dynv6 (Windows) and replace in iptables ruleset
- Raspberry: schedule the ipv6 update in firewall (ip6tables)
SSH#
Change SSH Port
> sudo vi /etc/ssh/sshd_config # here is the port
Port xx x # set port here
ListenAddress :: # enable all ipv6
ListenAddress 0.0.0.0 # enable all ipv4
LogLevel DEBUG # change log level like INFO, DEBUG3
AllowUsers <user> # allow only this user
PermitRootLogin prohibit-password # activate to disable root
> sudo vi /etc/ssh/ssh_config # this is general
> cd /etc/ssh/sshd_config.d # check also sub configurations
> sudo systemctl status ssh # check status
> sudo service ssh restart # reload / restart
> sudo /etc/init.d/ssh restart # reload / restart alternative
> sudo netstat -pantWul # check connections
Check port ranges
- System/well known ports: 0-1023
- User or registered ports: 1024-49151 <== use port from here
- Dynamic/private ports: 49152-65535
Automatic updates#
> sudo apt install unattended-upgrades > sudo dpkg-reconfigure --priority=low unattended-upgrades
Brute Force Attacks#
Disable IPs on multiple failed 6 logins for 10 minutes> sudo apt-get install fail2ban > sudo vi /etc/fail2ban/jail.conf
Logging#
> sudo journalctl -b # since last boot > sudo journalctl -k | grep netfilter > sudo journalctl --vacuum-time=1d # purge, keep last day > sudo journalctl --vacuum-size=500M # purge, keep last 500MB > # if purging does not help you can erase the whole file and restart > systemctl restart systemd-journald
2. Windows batch script to update dynv6 service#
REM update_dynv6.bat
REM set utf-8
chcp 65001
echo off
set domain=<your.domain.here>
set token=<youtTokenHere>
echo ---- check and update local ipv6 address at dynv6.com for %domain% ----
rem ping -n 1 -6 %domain%
for /F "tokens=3" %%i in ('"ping -n 1 -6 %domain% | findstr Antwort"') do set dynv6_ipv6=%%i
rem cut last colon, example 2a02:5a0:4110:f590:29f6:40ba:51b4:b4da:
set dynv6_ipv6=%dynv6_ipv6:~0,-1%
echo dynv6 ipv6= %dynv6_ipv6%
rem ipconfig
rem echo ---------- extracting Temporäre IPv6-Adresse ----------
for /F "tokens=9" %%i in ('"ipconfig | findstr Temp | findstr 2a02"') do set local_ipv6=%%i
echo local ipv6= %local_ipv6%
if %local_ipv6% == %dynv6_ipv6% (
echo ipv6 at dynv6 is up to date, update skipped
) else (
set url="https://dynv6.com/api/update?hostname=%domain%^&token=%token%&ipv6=%ipv6%"
ECHO updating IPv6
curl "%url%"
)
echo:
echo done
pause
iptables#
> sudo ip6tables -nvL --line-numbers -LSee my general ruleset at Firewall with iptables
Python#
- package "python3-iptables" manages legacy ones only, docu1, docu2
- package "python3-nftables" manages nft tables, docu
- alternatively you can use subprocess.run to call the original system commands
5. subprocess#
#!/usr/bin/env python
import socket # determine ipv6
import subprocess
tupel = socket.getaddrinfo('your.pc.com', None, socket.AF_INET6)
# tupel like [(<AddressFamily.AF_INET6: 23>, 0, 0, '', ('2a02:5a0:4110:f590:4670:d3e6:f2bc:ee', 8384, 0, 0))]
print("tupel=", tupel)
ipv6=tupel[0][4][0]
print("ipv6=", ipv6)
subprocess.run(["/usr/sbin/ip6tables", "-R", "INPUT", "1", "-s", ipv6, "-j", "ACCEPT"])
subprocess.run(["/usr/sbin/ip6tables", "-R", "OUTPUT", "1", "-d", ipv6, "-j", "ACCEPT"])
6. Schedule script with crontab#
Run every 5 minutes
> sudo crontab -u root -e # anything is activated on save automatically # add following */5 * * * * /home/markus/update_ip6tables.py
No Copyright