Hello everybody

I do all the administrative work on my mother's debian desktop machine but since she lives approx. 150 km away I thought ssh could make life much easier for me. So the plan is to run sshd on my mother's computer and ssh on mine. I know how to set up an ssh client (it is already running on my machine and I can connect to a shell account) and I have read the man pages and this document on how to set up sshd:

now these are my questions:
1. is this a good how-to? It is only a few months old but things are changing quickly in this area of IT and I don't want to end up with a completely insecure system. Can you recommend a better one or provide additional info on how to safely run sshd?

2. My mother's computer is connected via ADSL to a local ISP and doesn't have a static IP. dyndns.org seems to offer a (free) solution to that problem. Is this the service I need or is there a better solution? does this service cause any security issues?

as you can see I don't know much about what I'm trying to do so any help would be greatly appreciated!
stimpy

dyndns.org + sshd is actually a pretty good way to remote access / admin a linux system at home. You would need to ensure that you're sshd is up to day to close any known security holes, and make sure that port 22 is open in the firewall / router on the client side. You'll also want to ensure that all user accounts on the system are using strong passwords.

Security concerns aside though, you can actually tunnel just about anything though an SSH session so there's not a lot you can't do from a remote admin standpoint once you're connected.

One thing that you can do with SSH is use public/private key pairs for authentication. I don't know if there's a way to prevent password based authentication though, I've never stopped to look myself.

Thanks for the (very!) quick reply, csdibiase!

I set up a dyndns.org account and I think it worked. At least I was able to ssh into my own machine (as a different user)..

Now I would like to set up the hosts.allow and hosts.deny files properly. as I understand it, I want the entry in hosts.deny to read

and put the allowed host in - well, hosts.allow!
I tried with

and it worked. but my IP is not static, so I tried

which didn't work. I don't like to allow all hosts but it looks like this is the only solution?

there is an option in ssh_config, you need to set PasswordAuthentication no. as I understand it, key based authentication is more secure anyway because it requires the user to provide something he knows AND something he has. additionally, some users' passwords are very weak.

Never tried restricting the hosts with sshd, but from what I remember of doing the same with Apache the allow and deny are all ip ranges. You could effectively at least limit it to those IPs that are vaild for your ISP.

You can use firewall rules and also limit access based on an ip range in hosts.allow and hosts.deny. Have alook at this document .

thanks TigerOC for that link. I understand the concept of the firewall rules but I'm not used to iptables (I use guarddog ). probably I just don't get the syntax - what does this 192.168.0.0/255.255.255.0 (for example) exactly mean?

In guarddog there is a possibility to set up my own "zones" with special rules for the IP addresses I specify in these zones. I'd like to do it that way and set up a "ssh" zone which allows ssh login for certain IPs but I don't know what IP addresses/range to put in there. it seems like my ISP adds his hostname to every (dynamic) IP address so it looks like this:

my-ip.providershostname.com

can I just allow providershostname.com for ssh or does it have to be an IP range? (I would have to call my ISP and ask for the actual numbers, right?)

thanks again
stimpy

If you do a whois search on your ISP it will list the range of IP addresses the ISP has and then you can use this range in hosts.allow or in the firewall rules. The IP number given in the example is in the format <private-ip_address>/<subnet address>. Sorry I am definitely not an expert on iptables. I use Monmotha's firewall script but have never really got into the technicalities of their use (which I should have).

Thank you very much, TigerOC
this seems to be much harder than I thought it would be. the whois search didn't return the results I needed but I'll call the ISP and hope they will tell me. so let's say the range is
81.72.0.0 - 81.73.255.255

is it correct then to write
81.72.0.0/255.254.0.0 (according to my calculations, this should be equal to
81.72.0.0/15

is this correct?

If I create a new zone named "ssh" in guarddog, I will have to open port 22 for the "ssh" zone and link it to "local", right? the guarddog documentation is not very helpful in this regard.

Problem solved.
In case someone gets here after searching for a similar problem, here's what I did:

for information about subnet masks: wikipedia
to avoid manual calculations: dnsstuff.org

guarddog: I don't know if I did this as it is meant to be but it's working. I added a zone "ssh", put the IP address(es) in there (81.72.0.0/15) and connected the ssh zone with the local zone. then in the "protocols" tab I permitted the ssh protocol to be served from "local" to clients in zone "ssh". that's it
stimpy

Good man. You will have no difficulty with Linux because you show good common sense and the ability to research things. Well done!