Search:  
Gentoo Wiki

Enable_sshd_remotely

Contents

About

This tip will show you how to make a PHP page that in conjunction with a shell script can turn sshd on remotely. I found myself only needing to use sshd once in a great while remotely, and I didn't want to set up a port knocking solution for something I rarely used. I include a php page you can put on your apache webspace, as well as the shell script you use to actually turn sshd on and off. I've made the defaults as easy to implement as possible.

If you load the php page in your browser, it writes a file to /tmp/start_ssh.tmp with the IP address of the person who loaded the page. The shell script checks if this file exists and then starts sshd for 5 minutes, then stops it again. This gives you a 5 minute window in which to connect to the server via ssh.

The PHP script

File: sshon.php
<?php

// set some variables
$tmpFile = '/tmp/start_sshd.tmp';
$ip = $_SERVER['REMOTE_ADDR'];

// open the file for writing, suppress errors (remove @ to see errors)
if($fp = @fopen($tmpFile, 'w')) {
  // write the IP to the file
  fputs($F,$IP);

  // close the file
  fclose($F);
}

?>

The shell script

File: sshon.sh
#!/bin/bash
#added in a lock file to prevent multiple copies running at the same time
TMPFILE="/tmp/start_sshd.tmp"
LOGFILE="/var/log/start_sshd.log"
IP=`< ${TMPFILE}`
DATE=`date`
SECONDS="300"
LOCKFILE="/tmp/start_sshd.lck"

if [ -s "${TMPFILE}" ] ; then
    #check for a lock file
    if [ ! -e "${LOCKFILE}" ] ; then
        #create the lock file to prevent more than one of these running
        /usr/bin/touch ${LOCKFILE}
        #write to the log
        echo "${DATE}: SSHD started from ${IP}" >> ${LOGFILE}
        #remove the temp file
        rm ${TMPFILE} > /dev/null 2>&1
        #start sshd
        /etc/init.d/sshd start > /dev/null 2>&1
        #wait SECONDS
        sleep ${SECONDS}
        #stop sshd again
        /etc/init.d/sshd stop > /dev/null 2>&1
        #remove the lock file to allow another copy to run
        rm ${LOCKFILE}
    else
        #log multiple copy attempts
        echo "${DATE}: SSHD multiple copy attempt!" >> ${LOGFILE}
        #remove temp file
        rm ${TMPFILE} > /dev/null 2>&1
    fi
fi

For those who have iptables running on the system, an additional layer of security may be implemented as follows:

Code: iptables commands
Add this line to your iptables script, or /etc/conf.d/local.start:
 iptables -A INPUT -p tcp -i (EXTERNAL INTERFACE)--dport 22 -j DROP
And add this to the sshon.sh script right before the /etc/init.d/sshd start command
 iptables -I INPUT -p tcp -i (EXTERNAL INTERFACE) --dport 22 -s ${IP} -j ACCEPT
And finally, add this after we stop sshd
 iptables -D INPUT -p tcp -i (EXTERNAL INTERFACE) --dport 22 -s ${IP} -j ACCEPT

Putting it together

File: crontab entry
* * * * * /usr/local/sbin/sshon.sh > /dev/null 2>&1

Now whenever you run the PHP page from the browser, sshd should start for 5 minutes within 1 minute.

Notes

I recommend you don't use the default name for the PHP page, and you can edit the HTML portion to fit whatever you'd like it to say. Personally I make it look exactly like the 404 error page that comes up when you request a page from Apache that doesn't exist (do not forget to make it actually return 404 HTTP response code).

The other, safer way, is to create this page in a separate directory in htdocs, adding a .htaccess file so that only you can access the page to create the temp file

See also

Retrieved from "http://www.gentoo-wiki.info/Enable_sshd_remotely"

Last modified: Sat, 06 Sep 2008 13:27:00 +0000 Hits: 13,426