LinuxQuestions.org
Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 08-18-2009, 05:33 AM   #1
jonaskellens
Member
 
Registered: Jul 2008
Location: Ghent, Belgium
Distribution: Fedora, CentOS
Posts: 632

Rep: Reputation: 33
/etc/hosts.allow : use dyndns-domain


I have installed denyhosts and want to make sure that I don't block out myself. So I would like to put my IP-address in /etc/hosts.allow.

Problem is I have a dynamic IP with my ISP. Could I use my DynDNS domain name in /etc/hosts.allow in stead of my ever changing IP-address ??
 
Old 08-18-2009, 05:53 AM   #2
mhernandez314
LQ Newbie
 
Registered: Aug 2009
Posts: 9

Rep: Reputation: 0
I guess you could, whenever that url is constant but a reverse lookup will return your current ip.
Other (less secure) option is to allow all traffic from the ip range your isp is giving to you.
 
Old 08-18-2009, 06:08 AM   #3
jonaskellens
Member
 
Registered: Jul 2008
Location: Ghent, Belgium
Distribution: Fedora, CentOS
Posts: 632

Original Poster
Rep: Reputation: 33
Quote:
Originally Posted by mhernandez314 View Post
Other (less secure) option is to allow all traffic from the ip range your isp is giving to you.
Really not secure I think... I reduce the possible attackers from millions to thousands .

A reverse lookup will occur when DenyHosts wants to put my IP-address in the blacklist... that's OK. It's not going to happen I think.

Last edited by jonaskellens; 08-18-2009 at 06:10 AM.
 
Old 08-18-2009, 09:29 AM   #4
mhernandez314
LQ Newbie
 
Registered: Aug 2009
Posts: 9

Rep: Reputation: 0
I would add your dynDNS hostname in hosts.allow, that should work.
 
Old 08-18-2009, 12:24 PM   #5
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora
Posts: 3,935
Blog Entries: 5

Rep: Reputation: Disabled
@jonaskellens: Just be careful with this. From the hosts_access(5) manpages:
Code:
WILDCARDS
       The access control language supports explicit wildcards:
       .......
       PARANOID
              Matches any host whose name does not match  its  address.   When
              tcpd  is built with -DPARANOID (default mode), it drops requests
              from such clients even before  looking  at  the  access  control
              tables.   Build  without  -DPARANOID  when you want more control
              over such requests.
Thus, if your installation has this default enabled, your scheme is not going to work. Be sure to test this out before relying on certain behaviour (and potentially locking yourself out).

The suggestion to lock things down to an ISP-issued IP range is fine (if you can determine that range correctly). You could take other steps to harden sshd -- e.g. using pubkey authentication.
 
Old 08-18-2009, 03:18 PM   #6
jonaskellens
Member
 
Registered: Jul 2008
Location: Ghent, Belgium
Distribution: Fedora, CentOS
Posts: 632

Original Poster
Rep: Reputation: 33
Quote:
Originally Posted by anomie View Post
You could take other steps to harden sshd -- e.g. using pubkey authentication.
I already use public key authentication. But DenyHosts blacklists those IP-addresses that try to brute force ssh-login.

When you read the tips they give on the internet, installing DenyHosts is often in the list.

They just always give the example of putting a static IP-address in hosts.allow to not lock yourself in (if you would be so stupid to give a bad password 5 times in a row in 1 minute).

I don't have a static IP-address...
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
How to configure Sendmail + 1 dyndns.org free domain + Mysql for virtual server simon.unix Linux - Server 1 04-15-2009 01:23 PM
How to configure so I don't need to type domain name or FQDN for same domain hosts? lumix Linux - Newbie 1 05-22-2008 08:59 PM
ssh troubleshooting hosts dyndns infiniphunk Linux - Security 4 03-25-2007 03:54 PM
switching from dyndns to a real domain tw001_tw Linux - Networking 4 11-23-2004 01:00 AM
Virtual Hosts with Dynamic IP and dyndns.org lexton Linux - Networking 1 08-11-2004 05:06 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 12:38 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration