Cloud Setup
- Using sshd_conf from my other place configure a bastion to run on 2 ports
- use the other random port to help you set all this up!
- expose them on GCP
- also expose udp/62201 for the knock (62201 is the default, but you can change in the config)
- on a debian instance install
fwknop-server
- configure ip tables as follows:
$ iptables -I INPUT 1 -i eth0 -p tcp --dport 22 -j DROP
$ iptables -I INPUT 1 -i eth0 -p tcp -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
client
- install
fwknop
(sometimes calledfwknop-client
) - use
fwknop -K keys.txt
to gen the key and HMAC_key for your SPA - add these to
~/.fwknoprc
like so:
[bastion]
SPA_SERVER <Target IP>
ACCESS tcp/22
KEY_BASE64 <BASE64>
HMAC_KEY_BASE64 <BASE64>
USE_HMAC Y
server
- copy accross the key data to
/etc/fwknop/access.conf
- run
$ sudo fwknop -S
to check it's status - run
$ sudo fwknop -R
to restartit with the new settings - double check your iptables setup looks ok
client
- run
fwknop -n bastion -R --verbose
- Providing this is successful you should now be able to login on ssh port 22 :D