You are not logged in.

#1 2009-09-23 18:04:34

purple12
Member
Registered: 2008-08-16
Posts: 73

TCP Wrapper Access Control Question...

I'm even less than a Networking n00b, and I'm wondering....

I have a Comcast-allocated dynamic IP, and I've set up ssh access to my home box via DynDNS.com and it works great if I add a line in /etc/hosts.allow to permit connections from my router:

sshd : 192.168.1.1 : allow

By tailing auth.log, I noticed that these were getting blocked when I tried to login using the domain name from DynDNS.  But it seems trivially true that having this line in the allow file is not a good idea...right?  I want to have ssh access to the box, but I also want to keep things at least reasonably locked down.  I'm running IPtables with a ruleset recommended for good security, and I set up port forwarding on the router to enable this to work.

OK...I'm ready to get hammered by gurus... smile

Last edited by purple12 (2009-09-24 00:46:57)

Offline

#2 2009-09-23 22:33:51

labox
Member
From: Sweden
Registered: 2009-01-06
Posts: 10

Re: TCP Wrapper Access Control Question...

Hello there!
Do you only want to allow ssh-connections from your router or all connections coming through it?

With that config in /etc/hosts.allow only connections from the router itself will be allowed. If only connections through the router is what you want to achieve, there is a simpler way to describe the rules: Allow all connections except the ones from your local net (this will hardly enhance security, but you may have your reasons). In any case, you can set the tcpwrapper-rules to allow all connections and let IP-tables handle the security (if IP-tables was installed on the box and not the router that is).

Offline

#3 2009-09-23 23:43:14

purple12
Member
Registered: 2008-08-16
Posts: 73

Re: TCP Wrapper Access Control Question...

lb...
Thanx for the reply. 
Yes, my local nw is just my router and my linux box which i'd like to be able to access from remote locations without compromising security.  It sounds like you're saying I'm OK leaving the above ALLOW rule in place and just letting IPTables (which is installed on the Linux box) handle intrusions / port security....yes?
Thanx again!

Offline

#4 2009-09-23 23:55:48

labox
Member
From: Sweden
Registered: 2009-01-06
Posts: 10

Re: TCP Wrapper Access Control Question...

Ok, so if you want to be able to connect from places outside your network you cannot leave that configuration for tcpwrapper. Since a remote location can be any ip/hostname you probably want to set /etc/hosts.allow to "sshd: ALL".

Edit:

Just to clarify, the configuration you got at the moment will only allow ssh-connection initiated from the router (a ssh-client on the router) NOT from connections from outside, e.g the rest of the world.

Last edited by labox (2009-09-24 00:01:30)

Offline

#5 2009-09-24 00:41:01

purple12
Member
Registered: 2008-08-16
Posts: 73

Re: TCP Wrapper Access Control Question...

hmm...weird.  With the current config I have no problem getting ssh-connected from a terminal on my box using the host/domain I created with the dynamic DNS mapping service (DynDNS) http://www.dyndns.com/

<username>@<hostname.domain>

Is there a reason to think this won't work from any Internet-connected box?

thankx

Offline

#6 2009-09-24 05:15:34

labox
Member
From: Sweden
Registered: 2009-01-06
Posts: 10

Re: TCP Wrapper Access Control Question...

Hmm, yes, that is indeed strange. I was under the impression that tcpwrapper looked for the source ip. Didnt you say your connections got droped?

Offline

#7 2009-09-25 03:34:10

purple12
Member
Registered: 2008-08-16
Posts: 73

Re: TCP Wrapper Access Control Question...

crap...i just tested this remotely, and it fails.  can't even ping the address.  owell...back to the books.
thanks for the help..i'm back at the office tomorrow, so i'll pester the networking guy.
smile

Offline

#8 2009-09-25 05:21:31

purple12
Member
Registered: 2008-08-16
Posts: 73

Re: TCP Wrapper Access Control Question...

SOLVED!
I had a remote friend test my original config using the '-p' flag to specify the higher port to which I'd moved ssh when originally setting up the port forwarding on my router, and everything worked great!  So now I can remote into the box from anywhere--my original goal (yay!).

I'm still a little unclear about the DynDNS service, and I recognize that until I have an actual IP change, the updating aspect of this service will not have actually been tested.   I installed ddclient from the Arch Community, and once installed, all I was asked to do was make some edits to /etc/ddclient/ddclient.conf.  Does it run daemonized? I don't see a process associated with it...owell.  Time will tell.

Thanks labox

Offline

Board footer

Powered by FluxBB