You are not logged in.
I'm even less than a Networking n00b, and I'm wondering....
I have a Comcast-allocated dynamic IP, and I've set up ssh access to my home box via DynDNS.com and it works great if I add a line in /etc/hosts.allow to permit connections from my router:
sshd : 192.168.1.1 : allow
By tailing auth.log, I noticed that these were getting blocked when I tried to login using the domain name from DynDNS. But it seems trivially true that having this line in the allow file is not a good idea...right? I want to have ssh access to the box, but I also want to keep things at least reasonably locked down. I'm running IPtables with a ruleset recommended for good security, and I set up port forwarding on the router to enable this to work.
OK...I'm ready to get hammered by gurus...
Last edited by purple12 (2009-09-24 00:46:57)
Offline
Hello there!
Do you only want to allow ssh-connections from your router or all connections coming through it?
With that config in /etc/hosts.allow only connections from the router itself will be allowed. If only connections through the router is what you want to achieve, there is a simpler way to describe the rules: Allow all connections except the ones from your local net (this will hardly enhance security, but you may have your reasons). In any case, you can set the tcpwrapper-rules to allow all connections and let IP-tables handle the security (if IP-tables was installed on the box and not the router that is).
Offline
lb...
Thanx for the reply.
Yes, my local nw is just my router and my linux box which i'd like to be able to access from remote locations without compromising security. It sounds like you're saying I'm OK leaving the above ALLOW rule in place and just letting IPTables (which is installed on the Linux box) handle intrusions / port security....yes?
Thanx again!
Offline
Ok, so if you want to be able to connect from places outside your network you cannot leave that configuration for tcpwrapper. Since a remote location can be any ip/hostname you probably want to set /etc/hosts.allow to "sshd: ALL".
Edit:
Just to clarify, the configuration you got at the moment will only allow ssh-connection initiated from the router (a ssh-client on the router) NOT from connections from outside, e.g the rest of the world.
Last edited by labox (2009-09-24 00:01:30)
Offline
hmm...weird. With the current config I have no problem getting ssh-connected from a terminal on my box using the host/domain I created with the dynamic DNS mapping service (DynDNS) http://www.dyndns.com/
<username>@<hostname.domain>
Is there a reason to think this won't work from any Internet-connected box?
thankx
Offline
Hmm, yes, that is indeed strange. I was under the impression that tcpwrapper looked for the source ip. Didnt you say your connections got droped?
Offline
crap...i just tested this remotely, and it fails. can't even ping the address. owell...back to the books.
thanks for the help..i'm back at the office tomorrow, so i'll pester the networking guy.
Offline
SOLVED!
I had a remote friend test my original config using the '-p' flag to specify the higher port to which I'd moved ssh when originally setting up the port forwarding on my router, and everything worked great! So now I can remote into the box from anywhere--my original goal (yay!).
I'm still a little unclear about the DynDNS service, and I recognize that until I have an actual IP change, the updating aspect of this service will not have actually been tested. I installed ddclient from the Arch Community, and once installed, all I was asked to do was make some edits to /etc/ddclient/ddclient.conf. Does it run daemonized? I don't see a process associated with it...owell. Time will tell.
Thanks labox
Offline