FYI, I finally solved this by implementing port knocking. It's been around a long time, and it works fairly well, but it requires packages that are not present in the main or EPEL repos:
https://li.nux.ro/repos.html
Here are my personal notes for implementation - I hope they save someone else some time:
Info for Centos 7 from good article:
https://howtodoit.eu/protect-ssh-firewa ... os7-linux/
Will need to install EPEL repo first. Then, can grab repofrom Nux Linux:
https://li.nux.ro/repos.html
Then, can install knock-server.
Better stop command to use (I set SSH to run on a non-standard port of, for example, 222 and created a firewalld service to match):
firewall-cmd --zone=public --remove-service=SSH-222 (when this is done, you will keep the SSH connection in use, but others will not be opened)
Return it with:
firewall-cmd --zone=public --add-service=SSH-222
Use to ascertain listening NIC and matching command:
firewall-cmd --get-active-zones
Receive:
public << zone to use
interfaces: p4p1 <<Interface to listen on
trusted
interfaces: blahblah
Then, check name of service:
firewall-cmd --zone=public --list-all
Receive:
public (active)
target: default
icmp-block-inversion: no
interfaces: p4p1
sources:
services: SSH-222 << service to stop/start
ports:
protocols:
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
This worked:
/etc/knockd.conf
[options]
logfile = /var/log/knockd.log
interface = p4p1
[opencloseSSH]
sequence = 55555:udp,22222:tcp,44444:udp
seq_timeout = 3
start_command = firewall-cmd --zone=public --add-service=SSH-222
cmd_timeout = 30
stop_command = firewall-cmd --zone=public --remove-service=SSH-222
You will probably have to put initial remove command in rc.local and set chmod 0755 /etc/rc.d/rc.local
I.e., add firewall-cmd --zone=public --remove-service=SSH-222 to the end of rc.local to start the ssh service in "hidden" mode after rebooting.
Remember- systemctl enable knockd
On Ubuntu, install knockd to get knock command.
I have changed some numbers from what I've actually used on my servers, of course.
You will be able to run the knocking by the knock client. If needed, you can do it with nc.
So, you will run something like:
knock Myhost.system.com 55555:udp 22222:tcp 44444:udp
ssh -p 222
SuperSecret@Myhost.system.com
Good luck!