TIP turn sshd on from php
From Gentoo Linux Wiki
| Terminals / Shells • Network • X Window System • Portage • System • Filesystems • Kernel • Other |
Contents |
[edit] About
This tip will show you how to make a php page that in conjunction with a shell script can turn sshd on remotely. I found myself only needing to use sshd once in a great while remotely, and I didn't want to set up a port knocking solution for something I rarely used. I include a php page you can put on your apache webspace, as well as the shell script you use to actually turn sshd on and off. I've made the defaults as easy to implement as possible.
If you load the php page in your browser, it writes a file to /tmp/start_ssh.tmp with the IP address of the person who loaded the page. The shell script checks if this file exists and then starts sshd for 5 minutes, then stops it again. This gives you a 5 minute window in which to connect to the server via ssh.
[edit] The PHP File
| File: sshon.php |
<?php
#set some variables
$TMPFILE="/tmp/start_sshd.tmp";
$IP=$_SERVER["REMOTE_ADDR"];
#open the file for writing, suppress errors (remove @ to see errors)
if(@$F = fopen("$TMPFILE","w")) {
#write the ip to the file
fputs($F,$IP);
#close the file
fclose($F);
}
?>
<html>
<body>
<br><br><br>
<center>
==The Shell Script==
{{Box File|sshon.sh|
<pre>
#!/bin/bash
#added in a lock file to prevent multiple copies running at the same time
TMPFILE="/tmp/start_sshd.tmp"
LOGFILE="/var/log/start_sshd.log"
IP=`< ${TMPFILE}`
DATE=`date`
SECONDS="300"
LOCKFILE="/tmp/start_sshd.lck"
if [ -s "${TMPFILE}" ] ; then
#check for a lock file
if [ ! -e "${LOCKFILE}" ] ; then
#create the lock file to prevent more than one of these running
/usr/bin/touch ${LOCKFILE}
#write to the log
echo "${DATE}: SSHD started from ${IP}" >> ${LOGFILE}
#remove the temp file
rm ${TMPFILE} > /dev/null 2>&1
#start sshd
/etc/init.d/sshd start > /dev/null 2>&1
#wait SECONDS
sleep ${SECONDS}
#stop sshd again
/etc/init.d/sshd stop > /dev/null 2>&1
#remove the lock file to allow another copy to run
rm ${LOCKFILE}
else
#log multiple copy attempts
echo "${DATE}: SSHD multiple copy attempt!" >> ${LOGFILE}
#remove temp file
rm ${TMPFILE} > /dev/null 2>&1
fi
fi
|
For those who have iptables running on the system, an additional layer of security may be implemented as follows:
| Code: iptables commands |
|
Add this line to your iptables script, or /etc/conf.d/local.start: iptables -A INPUT -p tcp -i (EXTERNAL INTERFACE)--dport 22 -j DROP And add this to the sshon.sh script right before the /etc/init.d/sshd start command iptables -I INPUT -p tcp -i (EXTERNAL INTERFACE) --dport 22 -s ${IP} -j ACCEPT
And finally, add this after we stop sshd iptables -D INPUT -p tcp -i (EXTERNAL INTERFACE) --dport 22 -s ${IP} -j ACCEPT
|
[edit] The Shell Script
| File: sshon.sh |
#!/bin/bash
#added in a lock file to prevent multiple copies running at the same time
TMPFILE="/tmp/start_sshd.tmp"
LOGFILE="/var/log/start_sshd.log"
IP=`< ${TMPFILE}`
DATE=`date`
SECONDS="300"
LOCKFILE="/tmp/start_sshd.lck"
if [ -s "${TMPFILE}" ] ; then
#check for a lock file
if [ ! -e "${LOCKFILE}" ] ; then
#create the lock file to prevent more than one of these running
/usr/bin/touch ${LOCKFILE}
#write to the log
echo "${DATE}: SSHD started from ${IP}" >> ${LOGFILE}
#remove the temp file
rm ${TMPFILE} > /dev/null 2>&1
#start sshd
/etc/init.d/sshd start > /dev/null 2>&1
#wait SECONDS
sleep ${SECONDS}
#stop sshd again
/etc/init.d/sshd stop > /dev/null 2>&1
#remove the lock file to allow another copy to run
rm ${LOCKFILE}
else
#log multiple copy attempts
echo "${DATE}: SSHD multiple copy attempt!" >> ${LOGFILE}
#remove temp file
rm ${TMPFILE} > /dev/null 2>&1
fi
fi
|
For those who have iptables running on the system, an additional layer of security may be implemented as follows:
| Code: iptables commands |
|
Add this line to your iptables script, or /etc/conf.d/local.start: iptables -A INPUT -p tcp -i (EXTERNAL INTERFACE)--dport 22 -j DROP And add this to the sshon.sh script right before the /etc/init.d/sshd start command iptables -I INPUT -p tcp -i (EXTERNAL INTERFACE) --dport 22 -s ${IP} -j ACCEPT
And finally, add this after we stop sshd iptables -D INPUT -p tcp -i (EXTERNAL INTERFACE) --dport 22 -s ${IP} -j ACCEPT
|
[edit] Putting it together
- Copy the php page into your Web space.
- Copy the shell script into a file, like /usr/local/sbin/sshon.sh
- Make the file executable only by root: chmod 700 /usr/local/sbin/sshon.sh
- Add a cron entry for root:
| File: crontab entry |
|
* * * * * /usr/local/sbin/sshon.sh > /dev/null 2>&1 |
Now whenever you run the php page from the browser, sshd should start for 5 minutes within 1 minute.
[edit] Notes
I recommend you don't use the default name for the php page, and you can edit the html portion to fit whatever you'd like it to say. Personally I make it look exactly like the 404 error page that comes up when you request a page from apache that doesn't exist (dont' forget to make it actually return 404 HTTP response code). I used alternate html for this wiki to make the code shorter.
The other, safer way, is to create this page in a seperate directory in htdocs, adding a .htaccess file so that only you can access the page to create the temp file
