Open up firewall automatically to anybody who has successfully connected via SSH

I have a server which runs a few services. However, for security reasons, I configured the server so that nothing, except for SSH, is accessible from outside.

What I'd like to do instead, though, is to have the server allow access to all its services to anybody who has managed to successfully login via SSH (and once that person disconnects, close all the ports again, except for the SSH port which should remain open).

Is there a way to do this?

I'm using Arch Linux on the server and ufw to manage the firewall.

houbysoft

Posted 2013-01-24T21:55:37.947

Reputation: 4 276

I'd suggest moving this question to stack Overflow, since it will require a script. Also, consider using http://www.portknocking.org/ for extra security

– Lizz – 2013-01-25T07:05:18.483

@Lizz: port knocking seems like a cool idea. I'm open to moving it (can't do that without a mod though). – houbysoft – 2013-01-25T08:34:20.120

Answers

I wrote a solution for this. It is not perfect, and improvements are welcome. Especially, I think that ~/.bash_logout doesn't get called if the connection dies, but I want the firewall to close itself in those cases too.

In any case, first of all, configure the sudoers file so that your user can run the ufw binary without entering a password.

Then, in ~/.bashrc:

ip=`echo $SSH_CONNECTION | cut -d " " -f 1`
echo "=> Opening the firewall for $ip..."
sudo ufw allow from $ip
echo "=> Done."

In ~/.bash_logout:

ip=`echo $SSH_CONNECTION | cut -d " " -f 1`
echo "=> Closing the firewall for $ip..."
sudo ufw delete allow from $ip
echo "=> Bye."

Again, though, this will only reclose the ports if you terminate your session properly. If somebody knows how to make it close whenever the connection quits / dies / whatever, please edit this answer with your solution.

houbysoft

Posted 2013-01-24T21:55:37.947

Reputation: 4 276

You can write a script that is executed by a cron job that will remove stale IPs from the firewall. Set it to run every five or ten minutes, and then, if a connection is lost, the permission for that IP will be removed within 5 or 10 minutes.

There is one problem with your script (and my suggestion too). What happens if the user logs in with two SSH connections (for example, to have two windows open) or if two users log in from the same IP (i.e. from a NAT)?

In truth, the best solution would be to set up a real VPN. – Moshe Katz – 2013-01-28T21:04:58.777

@MosheKatz: in those cases you'll just have to close both sessions at the same time, but yes, it's not perfect. I thought about cron, but how would you check for stale IPs? Is there a way to ask the ssh daemon if somebody's connected? – houbysoft – 2013-01-28T23:56:10.963

You can use who --ips to see who is currently logged in. You will need a list of IPs that you have allowed (you may be able to get this from ufw, or you may just keep it yourself using the login and logout scripts). Then, compare the list you have with the output of who and remove any IPs from the firewall (and the list) that aren't in the who output. – Moshe Katz – 2013-01-29T05:38:36.670

@MosheKatz: who --ips gives me unrecognized option '--ips'. I can do just who but that returns a long string containing the domain name, not the IP. There has to be an easier way to get the IPs directly? – houbysoft – 2013-01-29T06:51:59.033

Run man who to see the options you have. You seem to have a different version than I do. – Moshe Katz – 2013-01-29T12:02:29.273

You can put commands in ~/.bashrc, anything in there is executed each time a user logs in.

For your commands to only run when logging in via ssh (and not when logging in physically), you can test for the presence of the SSH_CONNECTION environment variable.

Bart Koopman

Posted 2013-01-24T21:55:37.947

Reputation: 436

Right, but I also need it to reclose the ports when the user logs out. I can't just put it in ~/.bash_logout because that doesn't get called if the connection just dies afaik. – houbysoft – 2013-01-25T17:16:50.380