current community

your communities

more stack exchange communities

company blog
Stack Exchange Inbox Reputation and Badges
tour help
Sign up ×
Unix & Linux Stack Exchange is a question and answer site for users of Linux, FreeBSD and other Un*x-like operating systems. It's 100% free, no registration required.
up vote 3 down vote favorite
2

I would like to disable the ssh server for certain times of the day. I would like to do this because I recently experienced a brute force compromise via ssh. Can crontab be used to enable/disable SSH?

If not, is there another way to disable ssh at certain times of the day?

share|improve this question
    
Do you mean you want to control the ssh server? Or did you really mean control of a client? –  roaima yesterday
    
What flavor of Unix are you wanting to do this on? –  Don Simon yesterday
    
@DonSimon RHEL - But, I also have some Ubuntu servers as well. –  Android Addict yesterday
    
@roaima I want to prevent bots from constantly attacking. If SSH is only available at certain times in the day, I can minimize the attack vector. –  Android Addict yesterday
5  
See the below answer, but the real recommendation would be to set your sshd to only allow public-key access at a bare minimum. –  Don Simon yesterday

5 Answers 5

up vote 15 down vote accepted

Sure, just run whatever init scripts there are to stop and start ssh daemon (e.g. /etc/init.d/ssh stop and /etc/init.d/ssh start) at appropriate times.

However, I'd suggest looking into fail2ban, portknocking, disabling password authentication and using only ssh keys, and the most secure way, two factor authentication with one time passwords.

share|improve this answer
1  
Does this work with systemd, as used on RHEL, too? –  roaima yesterday
    
@roaima No, use systemctl [start|stop] sshd instead –  nanny yesterday
1  
@nanny that's what I thought. So this answer won't work for the situation the OP is in? –  roaima yesterday
    
@roaima RHEL? You can easily do service sshd restart –  Hanky 웃 Panky 18 hours ago
    
@HankyPanky good to know, but that's not what this answer offers, either. (Perhaps RadovanGarabik will update their answer to handle the more general case.) –  roaima 17 hours ago
up vote 5 down vote

Instead of shutting down the SSH server during certain hours, consider using the pam_time module instead to deny authentication during certain times of the week. It's less of a hack, doesn't depend on cron, and also gives you more flexibility to define your authentication ruleset.

  • Set UsePAM yes in your sshd_config
  • Edit /etc/pam.d/sshd to insert the pam_time module
  • Write your time-restriction rules in /etc/security/time.conf.
share|improve this answer
up vote 4 down vote

There are a number of options available to you

  1. You can use cron to switch the ssh server on and off
  2. You can use iptables to block and unblock the ssh port
  3. You can sidestep all of this by running ssh on different port
  4. You can implement port knocking
  5. You can disable external access to ssh entirely and mandate use of a VPN

I'm sure other solutions are available, but I've stopped at five.

share|improve this answer
    
+1 for #3. Never run ssh on port 22, always change it. That will stop almost 100% of automated attacks. –  Doyle Lewis 11 hours ago
up vote 2 down vote

There is the time module for iptables:

iptables ... -m time --timestart TIME --timestop TIME --days DAYS -j ACTION

Use -p tcp -j REJECT --reject-with tcp-rst to pretend the port is closed (the default action for REJECT is an ICMP packet).

I'd also add another rule in front, allowing ESTABLISHED connections through if I wanted open connections to remain working.

Compared to solutions using scripting to perform certain actions at certain times it has the great advantage that this is static configuration, and there are unlikely to be any failure modes that would e.g. permanently block access.

share|improve this answer
up vote 1 down vote

Look at the "fail2ban" log monitoring dæmon. It will use iptables to block access to your sshd from a specific IP address. if there are more than 5 incorrect log-ins within a few minutes. However, it is IPv4 only.

Also, disable root logins; always use a bounce account.

share|improve this answer
    
If it's IPv4 only I'd better tell it to stop working for my IPv6 networking layer. (fail2ban can be used to run pretty much any command when a pattern is matches in a log file.) –  roaima yesterday

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.