I'm looking for a method to open a specific server port to a specific client ip only when there is ssh authentication from that ip. This is in effect how VNC works over port 5900 if you demand ssh authentication.
What are the secure ways to accomplish this? Some kind of port knocking? A direct ssh command like
(assuming in this instance that the ssh command comes from ip "74.125.226.175"). Neither of these suggestions is really what I'm asking for because port knocking doesn't require ssh, and fiddling with ipfw rules over ssh requires remote root control, which is bad. The correct solution would be greatly appreciated. And while I'm asking for stuff, a 12 hour timeout on the open port would be great too.
FWIW, one app I want this for is secure EyeTV sharing. I love my EyeTV and its remote sharing capability, but when you turn on EyeTV sharing, the entire world has access to port 2170 (EyeTV's "EyeConnect" app port) and can use your router bandwidth to watch your tv, or attack EyeTV looking for any buffer overflow insecurities or whatever. There is no ssh authentication for sharing EyeTV. This less-than-ideal security situation could be fixed if I had a method to open port 2170 in my server's firewall only via ssh authentication. I've tried a simple ssh tunnel solution, which does work in principal, but the video bandwidth requirements make this unworkable in practice, especially over 3G. Again, any help would be appreciated.
What are the secure ways to accomplish this? Some kind of port knocking? A direct ssh command like
Code:
ssh server "sudo ipfw add tcp from 74.125.226.175 to any dst-port 2170 in"(assuming in this instance that the ssh command comes from ip "74.125.226.175"). Neither of these suggestions is really what I'm asking for because port knocking doesn't require ssh, and fiddling with ipfw rules over ssh requires remote root control, which is bad. The correct solution would be greatly appreciated. And while I'm asking for stuff, a 12 hour timeout on the open port would be great too.
FWIW, one app I want this for is secure EyeTV sharing. I love my EyeTV and its remote sharing capability, but when you turn on EyeTV sharing, the entire world has access to port 2170 (EyeTV's "EyeConnect" app port) and can use your router bandwidth to watch your tv, or attack EyeTV looking for any buffer overflow insecurities or whatever. There is no ssh authentication for sharing EyeTV. This less-than-ideal security situation could be fixed if I had a method to open port 2170 in my server's firewall only via ssh authentication. I've tried a simple ssh tunnel solution, which does work in principal, but the video bandwidth requirements make this unworkable in practice, especially over 3G. Again, any help would be appreciated.
