I tried to have the support team implement what I saw here on the forum,

http://forums.powervps.com/showthread.php?p=3283

but firstI was told:

Hi Zoltan,

That setup will not work with apf since apf uses different rules, also it can have only 2 states, either 22 is closed or it is open.
Also, it is not secure to open up two new ports in order to secure ssh, a better method we think is to just change the default ssh port 22 to something else.
apf and bfd are already installed and runnig on your vps from the time we setup the vps for you.

Regards,
Veena
PowerVPS/Defender Support


I told Veena, that I saw this post here in the forum, so I am sure it can be implemented. After that I got this message:


Hi Zoltan,

apf is installed, it is not a daemon, does not run as a daemon, but it is working indeed :) please refer http://rfxnetworks.org/apf.php for details on apf.

Yes, you are definitely welcome to implement it yourself, sorry not something we support.

Regards,
Veena
PowerVPS/Defender Support


I just signed up last week with powerVPS, and I am very happy so far, eventhough we had some isses right at the beginning. The support is very quick and most of the time helpful, so I am glad I made the switch.
I am not an expert in Linux, I know the very basic stuff only.

Could anyone point me to the right tirection where I can follow a step-by-step tutorial in how to implement this simplified port knocking? I am really concerned with security, and since I recommended to our company to switch and choose powerVPS, I would hate to loose creditibility.

Thanks for all your help.

Zoltan

Hi Zoltan,
You are only in trouble when someone breaks into your ssh, not when they just try to break in and you keep getting those records in the log files. Selecting a random 4 digit port instead of 22 for ssh is really quite secure as most here would agree.
But I would really like to see that port knocking thing to work. Guess we could keep xxxx as the SSH port and yyyy and yyyy+1 as the switch ports and keep all three of these open from APF as they are controlled by iptables.

Hi Zoltan,

I think the best way to secure SSH is just to change the port as Veena already told you. With the port changed and with APF and BFD installed the chances of you been hacked are slim (at least by brute force :) )

Bogdan

Hi Zaf,

Yes, I know that I am in trouble when someone brakes in, but to quote from another page: “I trust the deadbolt on my front door too. That doesn't mean I want guys lining up in the street trying random house keys.”
The support team changed my SSH port already to a 4 digit one, but it can be easily detected by port scanning.
Guess we could keep xxxx as the SSH port and yyyy and yyyy+1 as the switch ports and keep all three of these open from APF as they are controlled by iptables. Yes, this is almost what I would like to achieve, except that the SSH port would be closed by default.

I searched the net for detailed tutorials, but couldn’t find one. :(

“I trust the deadbolt on my front door too. That doesn't mean I want guys lining up in the street trying random house keys.” Well there is a small difference here.....you have 9999 doors to your house and each guy has to first find the right door and then the right key too, thus reducing the probability.
But I do agree with you and would really want to see that port knocking thing to work as well.Yes, this is almost what I would like to achieve, except that the SSH port would be closed by default.What i meant to say is keep it open from APF only....but ofcourse it would be blocked by iptables at all times except when it is opened by the trigger port.

Thanks. I keep researching and train myself a little bit so I feel brave enough to do this kind of adjustement.

Best,

Zoltan