Locking Ubuntu to a web interface (SSH whitelist)

Asphyxia

Owner
Administrator
Apr 25, 2015
1,845
2
2,199
327
We are going to whitelist localhost (127.0.0.1) to our SSHD whitelist. This means only localhost is able to utilize SSH. This is especially useful if you only want the server itself to be logging in as root to make changes. This can be very powerful if you wrap the root user and SSH into a lovely web interface. Anything is possible! Install Nmap or ZMap for scanning, automatically build a mail server, or setup a cron to scp (securely move logs) to another server every midnight. Whatever you choose to do, this is all made easily possible using PHP and phpseclib.

1. Get the web and scripting ready:
Code:
apt install php php-common apache2 -y

Now I am picking phpseclib for SSH support, reasons why are here. You may download phpseclib via this page. I select direct link, then wget to Linux system.

2. Ready for the zip to be extracted to /var/www/html
Code:
apt install unzip -y

phpseclib comes in a zip, so we can now unzip example.zip

Thanks to useful examples shown here, we can test our localhost connection.

Simply create our admin.php file e.g. nano admin.php

Code:
<?php
include('Net/SSH2.php');

$ssh = new Net_SSH2('localhost');
if (!$ssh->login('root', '$4cUaa')) {
    exit('Login Failed');
}

echo $ssh->exec('pwd');
echo $ssh->exec('ls -la');
?>

If you want a more desirable view, just place <pre> all the way top, and </pre> bottom of PHP tags.

...

Now that we have established a proper localhost connection with root-elevated permissions, we have full control over the server using PHP.

Make a deny.php and allow.php file!

allow.php
Code:
<?php
include('Net/SSH2.php');

$ssh = new Net_SSH2('localhost');
if (!$ssh->login('root', '$4cUaa')) {
    exit('Login Failed');
}

echo $ssh->exec('echo "#sshd: ALL" > /etc/hosts.deny');
echo $ssh->exec('echo "#sshd: localhost" > /etc/hosts.allow');
?>

---

deny.php
Code:
<?php
include('Net/SSH2.php');

$ssh = new Net_SSH2('localhost');
if (!$ssh->login('root', '$4cU%?t*+6cGqnzT')) {
    exit('Login Failed');
}

echo $ssh->exec('echo "sshd: ALL" > /etc/hosts.deny');
echo $ssh->exec('echo "sshd: localhost" > /etc/hosts.allow');
?>

Want to lock down SSH? Simply execute your deny.php script, then run allow.php to allow connections again.

You could also do this with firewall rules for example.

In a sense, this could be a form of 2FA. Bookmark the allow.php on your phone, then make it redirect to deny.php after 10-30 seconds or so.

Lastly, these commands may be added to buttons with checkboxes/option buttons/text inputs/lists/combos.

---

Combining the above GUI-related options with a Bootswatch free theme could result in a beautiful web panel.

Once you get everything coming together, you may even want to implement a system for handling work or adding the ability to execute certain processes during specific times e.g. a cron scheduling system. Laravel has a beautiful scheduling system whereby it is called every minute, then checks if you have anything scheduled. There are also open source tools built by people to simplify scheduling jobs using PHP or you could just insert the cron entry using phpseclib.

The beauty in building systems is there is always more than one way. Find a way most efficient to you that does not compromise resources too heavily. For example, you would not build an entire house out of gold.

With the idea of scheduling being available, so long as you handle time synchronization/timezones/daylight savings properly, you could allow the customer(s) to only enable SSH or a VPN during work hours. I would highly recommend if building a system like this, to allow a proper API system with tokens for allowing all the systems to tie into a central control. In a sense, a legal botnet for controlling access.
 
Last edited:
Top