On Mon, 30 Apr 2001, Stuart Clark wrote:
> /etc/hosts.allow
> ssh: all
>
> Is this a good idea or should i consider something like this ?
>
> /etc/hosts.allow
> ssh: xxx.xxx.xxx.xxx/xxx.xxx.xxx.xxx
>
First of all, I'm assuming that you have hosts.deny with: ALL: ALL
Now, the theory is to allow back in only users from systems that you
sort of trust the users or systems from which you will need access
yourself. Why? Because theoretically it would keep some crackers from
doing an ssh password brute force attempt to get in.
You don't have to list every machine explicitly in hosts.allow, but you
can also list subnets of machines:
ssh: LOCAL, localhost, .duke.edu, 152.3.
would allow all machines with dns names which end in .duke.edu and
any machines with ip numbers that start with 152.3 to have access via
ss as well as ssh's from your own machine to itself. (you can list
individual services on the left side of the : or you can use the keyword ALL).
Well, that's all very good if every machine you would ever need to grant
access to was on one of a few subnets that you can specify cleanly in
hosts.allow. What if, however, you want to ssh into your machine at work
from your PC at home, which accesses the internet via a dialup service (or
even a DSL service) such as AOL or Earthlink? Since your ip number is
static for most such services, you would have to open your machine up to
all of that isp's users (well, they still need user name/password for ssh)
via ssh. Thus there can be practical problems, causing a conflict in your
goals: more secure system versus convenient personal remote access.
You must decide.
There is one possibility these days: use a dynamic DNS registration
service (e.g. dyndns.org) to register your own machine's DNS name
(e.g. myownmachine.dyndns.org) with your new IP number each time you
get a new one by redialing and connecting to the Internet. Then, you
could add myownmachine.dns.org to hosts.allow. To use such a service,
you have to re-register your new IP with your dynamic DNS service
provider. This can be automated by using a client program available from
the dynamic DNS service provider. There are several out there.
I personally have tried dyndns.org (http://www.dyndns.org).
***************************************************************************
Jerry Winegarden OIT/Technical Support Duke University
[EMAIL PROTECTED] http://www-jerry.oit.duke.edu
***************************************************************************
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
