For many years I've been running ssh reverse tunnels on portable Linux, OpenWRT, Android etc. hosts so they can be accessed from a server whose IP is stable (I call such a server a "nexus host"). Increasingly there's a problem with brute force attacks on the nexus host's tunnel ports. The attack is forwarded to the portable tunneling host, where it fails, but it chews up a lot of resources and wants to be stopped. At the portable tunneling host, fail2ban can't be used to block the attacker's IP because when the attack arrives, it appears to the ssh daemon to be arriving from localhost (127.0.0.1). I'm not sure the attacker's IP can even be known at the portable host (openssh developers: can it?), and anyway it needs to be blocked by the nexus host before it can chew up yet more bandwidth. The right answer might involve having the portable tunneling host inform the nexus host that an attack was forwarded on a particular port at a particular time. Then the nexus host, having kept a lot of records of such things, would look up the miscreant IP on that basis, add it to the banned ipset, and the attack would stop. Sounds inelegant and perhaps dangerous. Thoughts?
Hi, On Thu, Apr 25, 2024 at 11:14:56AM -0400, Steve Newcomb wrote:> For many years I've been running ssh reverse tunnels on portable Linux, > OpenWRT, Android etc. hosts so they can be accessed from a server whose IP > is stable (I call such a server a "nexus host").I tend to close everything "towards the Internet", except a single SSH port which is then set to pubkey-only. So you'd need to login to the nexus host and jump onwards from there ("ssh -J nexus-host" :) ) - which is not what you have been asking for, but might be easier to achieve. gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany gert at greenie.muc.de