Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I do all the administrative work on my mother's debian desktop machine but since she lives approx. 150 km away I thought ssh could make life much easier for me. So the plan is to run sshd on my mother's computer and ssh on mine. I know how to set up an ssh client (it is already running on my machine and I can connect to a shell account) and I have read the man pages and this document on how to set up sshd:
now these are my questions:
1. is this a good how-to? It is only a few months old but things are changing quickly in this area of IT and I don't want to end up with a completely insecure system. Can you recommend a better one or provide additional info on how to safely run sshd?
2. My mother's computer is connected via ADSL to a local ISP and doesn't have a static IP. dyndns.org seems to offer a (free) solution to that problem. Is this the service I need or is there a better solution? does this service cause any security issues?
as you can see I don't know much about what I'm trying to do so any help would be greatly appreciated!
stimpy
Last edited by stimpsonjcat; 08-03-2005 at 11:30 AM.
dyndns.org + sshd is actually a pretty good way to remote access / admin a linux system at home. You would need to ensure that you're sshd is up to day to close any known security holes, and make sure that port 22 is open in the firewall / router on the client side. You'll also want to ensure that all user accounts on the system are using strong passwords.
Security concerns aside though, you can actually tunnel just about anything though an SSH session so there's not a lot you can't do from a remote admin standpoint once you're connected.
One thing that you can do with SSH is use public/private key pairs for authentication. I don't know if there's a way to prevent password based authentication though, I've never stopped to look myself.
I set up a dyndns.org account and I think it worked. At least I was able to ssh into my own machine (as a different user)..
Now I would like to set up the hosts.allow and hosts.deny files properly. as I understand it, I want the entry in hosts.deny to read
Code:
ALL: ALL
and put the allowed host in - well, hosts.allow!
I tried with
Code:
sshd: [MY IP]
and it worked. but my IP is not static, so I tried
Code:
sshd: myhostname.dyndns.org
which didn't work. I don't like to allow all hosts but it looks like this is the only solution?
Quote:
I don't know if there's a way to prevent password based authentication though, I've never stopped to look myself.
there is an option in ssh_config, you need to set PasswordAuthentication no. as I understand it, key based authentication is more secure anyway because it requires the user to provide something he knows AND something he has. additionally, some users' passwords are very weak.
Never tried restricting the hosts with sshd, but from what I remember of doing the same with Apache the allow and deny are all ip ranges. You could effectively at least limit it to those IPs that are vaild for your ISP.
You can use firewall rules and also limit access based on an ip range in hosts.allow and hosts.deny. Have alook at this document .
thanks TigerOC for that link. I understand the concept of the firewall rules but I'm not used to iptables (I use guarddog ). probably I just don't get the syntax - what does this 192.168.0.0/255.255.255.0 (for example) exactly mean?
In guarddog there is a possibility to set up my own "zones" with special rules for the IP addresses I specify in these zones. I'd like to do it that way and set up a "ssh" zone which allows ssh login for certain IPs but I don't know what IP addresses/range to put in there. it seems like my ISP adds his hostname to every (dynamic) IP address so it looks like this:
my-ip.providershostname.com
can I just allow providershostname.com for ssh or does it have to be an IP range? (I would have to call my ISP and ask for the actual numbers, right?)
If you do a whois search on your ISP it will list the range of IP addresses the ISP has and then you can use this range in hosts.allow or in the firewall rules. The IP number given in the example is in the format <private-ip_address>/<subnet address>. Sorry I am definitely not an expert on iptables. I use Monmotha's firewall script but have never really got into the technicalities of their use (which I should have).
The IP number given in the example is in the format <private-ip_address>/<subnet address>. Sorry I am definitely not an expert on iptables.
Thank you very much, TigerOC
this seems to be much harder than I thought it would be. the whois search didn't return the results I needed but I'll call the ISP and hope they will tell me. so let's say the range is
81.72.0.0 - 81.73.255.255
is it correct then to write
81.72.0.0/255.254.0.0 (according to my calculations, this should be equal to
81.72.0.0/15
is this correct?
If I create a new zone named "ssh" in guarddog, I will have to open port 22 for the "ssh" zone and link it to "local", right? the guarddog documentation is not very helpful in this regard.
Problem solved.
In case someone gets here after searching for a similar problem, here's what I did:
for information about subnet masks: wikipedia
to avoid manual calculations: dnsstuff.org
guarddog: I don't know if I did this as it is meant to be but it's working. I added a zone "ssh", put the IP address(es) in there (81.72.0.0/15) and connected the ssh zone with the local zone. then in the "protocols" tab I permitted the ssh protocol to be served from "local" to clients in zone "ssh". that's it
stimpy
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.