I keep a server online at home that has an SSH sever. I have no idea if what I do is even remotely secure, but it makes me feel good, anyway...
steps:
1) I urge everyone that has access to the server to register some domain name at dyndns.org.
2) I then wrote a script that does the following:
2a) gets the /etc/hosts.allow file from that server from the other side of my internal firewall*.
2b) I then goes through the authorized users, and thier dyndns hostnames, and does a reverse lookup to get their current ip address.
2c) updates these current ip addresses in the /etc/hosts.allow file.
2d) replaces the now updated /etc/hosts.allow file on the ssh server.
3) repeat this every 1/2 hour.
The point here is to further restrict access at the IP level, but none of the users have static IPs. It seems to work, as I've never noticed any unauthorized access... MANY attempts, but none can get past that need to have the right IP thing.
*Since I'm running this from my home, I have a 'forward' firewall that blocks all port attempts but 80 and 22, routing them to the the ssh server (also the only machine on that subnet), as well as blocks any 'local' IPs. I then have a 'rearward' firewall that has one address on the ssh server's subnet, and a separate subnet for the internal lan. the only thing that ever comes back from that DMZ subnet is that /etc/hosts.allow file, and it is checked for changes against a known 'good' value.
If anyone else knows of any reason why this is an insane solution, please enlighten me...
***xposted to linuxsupport
steps:
1) I urge everyone that has access to the server to register some domain name at dyndns.org.
2) I then wrote a script that does the following:
2a) gets the /etc/hosts.allow file from that server from the other side of my internal firewall*.
2b) I then goes through the authorized users, and thier dyndns hostnames, and does a reverse lookup to get their current ip address.
2c) updates these current ip addresses in the /etc/hosts.allow file.
2d) replaces the now updated /etc/hosts.allow file on the ssh server.
3) repeat this every 1/2 hour.
The point here is to further restrict access at the IP level, but none of the users have static IPs. It seems to work, as I've never noticed any unauthorized access... MANY attempts, but none can get past that need to have the right IP thing.
*Since I'm running this from my home, I have a 'forward' firewall that blocks all port attempts but 80 and 22, routing them to the the ssh server (also the only machine on that subnet), as well as blocks any 'local' IPs. I then have a 'rearward' firewall that has one address on the ssh server's subnet, and a separate subnet for the internal lan. the only thing that ever comes back from that DMZ subnet is that /etc/hosts.allow file, and it is checked for changes against a known 'good' value.
If anyone else knows of any reason why this is an insane solution, please enlighten me...
***xposted to linuxsupport
