Enable_sshd_remotely
Contents |
About
This tip will show you how to make a PHP page that in conjunction with a shell script can turn sshd on remotely. I found myself only needing to use sshd once in a great while remotely, and I didn't want to set up a port knocking solution for something I rarely used. I include a php page you can put on your apache webspace, as well as the shell script you use to actually turn sshd on and off. I've made the defaults as easy to implement as possible.
If you load the php page in your browser, it writes a file to /tmp/start_ssh.tmp with the IP address of the person who loaded the page. The shell script checks if this file exists and then starts sshd for 5 minutes, then stops it again. This gives you a 5 minute window in which to connect to the server via ssh.
The PHP script
| File: sshon.php |
<?php
// set some variables
$tmpFile = '/tmp/start_sshd.tmp';
$ip = $_SERVER['REMOTE_ADDR'];
// open the file for writing, suppress errors (remove @ to see errors)
if($fp = @fopen($tmpFile, 'w')) {
// write the IP to the file
fputs($F,$IP);
// close the file
fclose($F);
}
?>
|
The shell script
| File: sshon.sh |
#!/bin/bash
#added in a lock file to prevent multiple copies running at the same time
TMPFILE="/tmp/start_sshd.tmp"
LOGFILE="/var/log/start_sshd.log"
IP=`< ${TMPFILE}`
DATE=`date`
SECONDS="300"
LOCKFILE="/tmp/start_sshd.lck"
if [ -s "${TMPFILE}" ] ; then
#check for a lock file
if [ ! -e "${LOCKFILE}" ] ; then
#create the lock file to prevent more than one of these running
/usr/bin/touch ${LOCKFILE}
#write to the log
echo "${DATE}: SSHD started from ${IP}" >> ${LOGFILE}
#remove the temp file
rm ${TMPFILE} > /dev/null 2>&1
#start sshd
/etc/init.d/sshd start > /dev/null 2>&1
#wait SECONDS
sleep ${SECONDS}
#stop sshd again
/etc/init.d/sshd stop > /dev/null 2>&1
#remove the lock file to allow another copy to run
rm ${LOCKFILE}
else
#log multiple copy attempts
echo "${DATE}: SSHD multiple copy attempt!" >> ${LOGFILE}
#remove temp file
rm ${TMPFILE} > /dev/null 2>&1
fi
fi
|
For those who have iptables running on the system, an additional layer of security may be implemented as follows:
| Code: iptables commands |
Add this line to your iptables script, or /etc/conf.d/local.start:
iptables -A INPUT -p tcp -i (EXTERNAL INTERFACE)--dport 22 -j DROP
And add this to the sshon.sh script right before the /etc/init.d/sshd start command
iptables -I INPUT -p tcp -i (EXTERNAL INTERFACE) --dport 22 -s ${IP} -j ACCEPT
And finally, add this after we stop sshd
iptables -D INPUT -p tcp -i (EXTERNAL INTERFACE) --dport 22 -s ${IP} -j ACCEPT
|
Putting it together
- Copy the PHP page into your Web space.
- Copy the shell script into a file, like /usr/local/sbin/sshon.sh
- Make the file executable only by root: chmod 700 /usr/local/sbin/sshon.sh
- Add a cron entry for root: crontab -e.
| File: crontab entry |
* * * * * /usr/local/sbin/sshon.sh > /dev/null 2>&1 |
Now whenever you run the PHP page from the browser, sshd should start for 5 minutes within 1 minute.
Notes
I recommend you don't use the default name for the PHP page, and you can edit the HTML portion to fit whatever you'd like it to say. Personally I make it look exactly like the 404 error page that comes up when you request a page from Apache that doesn't exist (do not forget to make it actually return 404 HTTP response code).
The other, safer way, is to create this page in a separate directory in htdocs, adding a .htaccess file so that only you can access the page to create the temp file
See also
Created by NickStallman.net, Luxury Homes Australia
Real estate agents should be using interactive floor plans and list their apartments, townhouses and units.