/etc/hosts.allow : use dyndns-domain

jonaskellens · 08-18-2009, 04:33 AM

I have installed denyhosts and want to make sure that I don't block out myself. So I would like to put my IP-address in /etc/hosts.allow.

Problem is I have a dynamic IP with my ISP. Could I use my DynDNS domain name in /etc/hosts.allow in stead of my ever changing IP-address ??

mhernandez314 · 08-18-2009, 04:53 AM

I guess you could, whenever that url is constant but a reverse lookup will return your current ip.
Other (less secure) option is to allow all traffic from the ip range your isp is giving to you.

jonaskellens · 08-18-2009, 05:08 AM

Quote:

Originally Posted by mhernandez314

Other (less secure) option is to allow all traffic from the ip range your isp is giving to you.

Really not secure I think... I reduce the possible attackers from millions to thousands

.

A reverse lookup will occur when DenyHosts wants to put my IP-address in the blacklist... that's OK. It's not going to happen I think.

mhernandez314 · 08-18-2009, 08:29 AM

I would add your dynDNS hostname in hosts.allow, that should work.

anomie · 08-18-2009, 11:24 AM

@jonaskellens: Just be careful with this. From the hosts_access(5) manpages:

Code:

WILDCARDS
       The access control language supports explicit wildcards:
       .......
       PARANOID
              Matches any host whose name does not match  its  address.   When
              tcpd  is built with -DPARANOID (default mode), it drops requests
              from such clients even before  looking  at  the  access  control
              tables.   Build  without  -DPARANOID  when you want more control
              over such requests.

Thus, if your installation has this default enabled, your scheme is not going to work. Be sure to test this out before relying on certain behaviour (and potentially locking yourself out).

The suggestion to lock things down to an ISP-issued IP range is fine (if you can determine that range correctly). You could take other steps to harden sshd -- e.g. using pubkey authentication.

jonaskellens · 08-18-2009, 02:18 PM

Quote:

Originally Posted by anomie

You could take other steps to harden sshd -- e.g. using pubkey authentication.

I already use public key authentication. But DenyHosts blacklists those IP-addresses that try to brute force ssh-login.

When you read the tips they give on the internet, installing DenyHosts is often in the list.

They just always give the example of putting a static IP-address in hosts.allow to not lock yourself in (if you would be so stupid to give a bad password 5 times in a row in 1 minute).

I don't have a static IP-address...