You are not logged in.

#1 2009-01-10 08:38:42

pseudonomous
Member
Registered: 2008-04-23
Posts: 349

host.allow syntax, dyndns troubles

Hello Everybody,

I recently registered a couple of my computers that have roaming IP addresses w/ DynDNS so I can log into them remotely via ssh.

Of course, now that these machines are out there on the 'net I'm a bit worried about security, I've got a commercial firewall/router which I'm willing to trust for now (although I do eventually want to learn how to work with Iptables) and i'm only allowing ssh connections to a non-standard port, and I'm allowing rsa key authentication only.  So far so good.

However, I figure it's also good to set up some filtering in hosts.allow  the goal is to allow only my universities' servers and my dyndns registered hosts to ssh in.  But this is really confusing me, google provides a man page for hosts.allow, which I've read, in a nutshell it says something like:

(note the names have been changed to protect the innocent servers)

sshd: .uni.edu

should allow an domain name ending in .uni.edu to ssh in to me.  Ok this works, but somewhere else it says you can give fully qualified domain like:

sshd: server.uni.edu

but this doesn't work for me, I've also tried:

sshd: .server.uni.edu

and

sshd: myuser@server.uni.edu

and these don't work.  I've also tried using my schools public IP address, but that also didn't work.

Question 1: why not?

Okay, fine, I guess I can live with allowing my universities' entire domain to try and ssh to me.  It might even come in handy some time.  But I can't get the dyndns stuff to work at all, I've tried:

sshd: .homedns.org

which doesn't work I've also tried the form:

sshd: hostname.homedns.org

and

sshd: .hostname.homedns.org

and none of that works, I have to either ssh through the university or set

sshd: ALL

which of course is as insecure as you can get (of course, if I'm using key authentication only, this is hopefully not really that bad)

now I've found a suggested work around here:

edit: this link was the wrong one

http://www.forum.psoft.net/archive/inde … -5536.html

which I could try out, but I'm not so good with the bash scripting, and I haven't written a cron job before.  While this is potentially a good learning experiance, I was wondering first if there was something I was missing in the way hosts.allow works that would let me just list the hostnames in host.allows which would be followed by things magically working.

Thanks!

Last edited by pseudonomous (2009-01-10 19:16:16)

Offline

#2 2009-01-10 09:36:17

tomk
Forum Fellow
From: Ireland
Registered: 2004-07-21
Posts: 9,839

Re: host.allow syntax, dyndns troubles

Read the man page on your system, not on the net, as they may not be the same. In this case, you want man 5 hosts_access, as tcp_wrappers does not include a hosts.allow man page, and you need to read the PATTERNS section carefully.

Offline

#3 2009-01-10 19:14:30

pseudonomous
Member
Registered: 2008-04-23
Posts: 349

Re: host.allow syntax, dyndns troubles

Thanks for pointing that out, but that man page still doesn't explain why something like:

 sshd: .homedns.org

or even

sshd: .org

does not allow connectinos from my hostnames registered on dyndns.

Edit, by the way, I've got a script like the link above suggests, running as a cron job, so I guess I'm good to go, but I'd still like to know why stuff like above doesn't work.

Last edited by pseudonomous (2009-01-11 01:22:12)

Offline

Board footer

Powered by FluxBB