Oct 252009
 

Sometimes we want to restricting ssh connection just from our own network to prevent abusives login.

this is how to do it with iptables:

# iptables -F
# iptables -N SSHD

# iptables -A SSHD -m state --state NEW,RELATED,ESTABLISHED -s 1.2.3.4/24 -j RETURN
# iptables -A SSHD -m state --state NEW,RELATED,ESTABLISHED -s 5.6.7.8/24 -j RETURN
# iptables -A SSHD -m state --state NEW,RELATED,ESTABLISHED -s a.b.c.d/24 -j RETURN
# iptables -A SSHD -j REJECT --reject-with icmp-host-prohibited

# iptables -A INPUT -p tcp -m tcp --dport 22 -j SSHD

All connection, except from our network we’ve defined in iptables will be reject with icmp-host-prohibited

# iptables -nvL
Chain INPUT (policy ACCEPT 934K packets, 529M bytes)
 pkts bytes target     prot opt in     out     source               destination        
 3252  207K SSHD       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22

Chain SSHD (1 references)
 pkts bytes target     prot opt in     out     source               destination
  717 35832 RETURN     all  --  *      *       1.2.3.4/24      0.0.0.0/0           state NEW,RELATED,ESTABLISHED
 2535  171K RETURN     all  --  *      *       5.6.7.8/24      0.0.0.0/0           state NEW,RELATED,ESTABLISHED
    0     0 RETURN     all  --  *      *       a.b.c.d/24      0.0.0.0/0           state NEW,RELATED,ESTABLISHED
    0     0 REJECT     all  --  *      *       0.0.0.0/0       0.0.0.0/0           reject-with icmp-host-prohibited
Aug 302009
 

First, we should create ssh auto login

# ssh-keygen -t dsa -f ~/.ssh/identity && cat ~/.ssh/identity.pub | ssh -l remote-user remote-ip -p 22 'sh -c "cat - >>~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys"'
Generating public/private dsa key pair.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 

when remote generating dsa key you’ll be asked for passphrase(twice), just press “enter”

Your identification has been saved in /root/.ssh/identity.
Your public key has been saved in /root/.ssh/identity.pub.
The key fingerprint is:
7e:16:db:7f:96:8f:23:70:4f:ca:0d:55:58:c8:38:31 local-user@local-ip
remote-user@remote-ip's password: 

enter remote-user password

now, test ssh autologin

local-ip$ ssh -l remote-user remote-ip
Last login: Sun Aug 30 13:09:24 2009 from local-ip
remote-ip$ logout

ok, it work.

now, i want to backup my local data to remote server

say, my local data is in /var/data/ (local server), and i want to backup to remote server in /backup/ directory

first of all, install unison and it’s dependencies

you can download unison here http://www.cis.upenn.edu/~bcpierce/unison/

here’s how to backup to remote server using unison

# unison /var/data/ ssh://remote-ip//backup/ -sshargs "-p 22" -owner -group -batch

note on -sshargs -owner -group -batch

-sshargs mean, we can use non standard ssh port, eg. port 2222

-owner mean, local file owner attribute will be synchronize to remote server

-group mean, local file group attribute will be synchronize to remote server

done