Re: Finding IP Addresses (OT)
On Thursday 10 August 2006 19:18, beno wrote: Hi; I'm configuring my IP filter and I need to figure out what IP addresses I use (via SSH2) to contact my server. If I understand correctly you are trying to setup your server's firewall to only allow connections from your home or office pc with a dynamic IP address. Why not setup dynamic dns for your ip address, and setup the server to allow connections from the particular hostname. If you use a DNS service, you can probably do that already, otherwise there's dyndns.com. There are dynamic dns update tools for various platforms. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Finding IP Addresses (OT)
Olivier Nicole wrote: I'd advise you not to filter SSH by IP, that would be the best way to lock you out of your server. I did that once :) No fun! But I'll be much more careful this time! Even if you find all the IP used by your ISP, you cannot predict when the IP range will change, and it DOES change. Hmmm. Worst-case scenario, the server farm would have access. Thinking... If you limit the IP that can SSH to your server, you will not be able to login when you are traveling and some urgent administration task need to be performed. And the most urgent tasks must often be performed when traveling... I *never* travel! I live in paradise, my needs are minimal and satisfied, and I have no reason to travel :) Set a strong password to your account (8+ characters, using letters up and lower case, numbers and punctuation signs), do not allow SSH to root account, enforce using sudo instead of su. Never heard of sudo before. Looking it over, I don't understand how that would be beneficial in my case, since I'm the only one who really does anything on the machine. I could and should set it up for those occasions when I have others go in, however. Comments? TIA, beno ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Finding IP Addresses (OT)
beno wrote: Hi; I'm configuring my IP filter and I need to figure out what IP addresses I use (via SSH2) to contact my server. However, my ISP is DirecWay bouncing off a satellite. I've got a sample IP address from /var/log/messages and I'm sure over time I could collect a truckload, but I'd still miss some. Is there someplace on the Web that has those ranges of IP addresses posted that the big companies use? TIA, whois Lookup the ip with whois you'll get a network segment that has been delegated. You ISP may have multiple such segments, but it get's you further faster than finding individual ip's. Cheers, Erik -- Ph: +34.666334818 web: http://www.locolomo.org X.509 Certificate: http://www.locolomo.org/crt/8D03551FFCE04F0C.crt Key ID: 69:79:B8:2C:E3:8F:E7:BE:5D:C3:C3:B1:74:62:B8:3F:9F:1F:69:B9 smime.p7s Description: S/MIME Cryptographic Signature
Re: Finding IP Addresses (OT)
On 8/10/06, beno [EMAIL PROTECTED] wrote: Hi; I'm configuring my IP filter and I need to figure out what IP addresses I use (via SSH2) to contact my server. However, my ISP is DirecWay bouncing off a satellite. I've got a sample IP address from /var/log/messages and I'm sure over time I could collect a truckload, but I'd still miss some. Is there someplace on the Web that has those ranges of IP addresses posted that the big companies use? TIA, beno Hi, In Europe there is ripe.net. Try do this command: # whois -h whois.ripe.net one.of.your.ips Rgds, Andreas ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Finding IP Addresses (OT)
On Thu, Aug 10, 2006 at 02:18:48PM -0400, beno wrote: Hi; I'm configuring my IP filter and I need to figure out what IP addresses I use (via SSH2) to contact my server. However, my ISP is DirecWay bouncing off a satellite. I've got a sample IP address from /var/log/messages and I'm sure over time I could collect a truckload, but I'd still miss some. Is there someplace on the Web that has those ranges of IP addresses posted that the big companies use? In ipfw one can use the address me which means address of any interface on this machine. I don't fully understand what you are trying to do but am guessing me or similar will be of help. Another angle would be to whois w.x.y.z as that appears to be your current IP address. Stripping out the excess this line is of interest: NetRange: w.(x-1).0.0 - w.x.255.255 The above is one of possibly many IP blocks assigned to your ISP. -- David Kelly N4HHE, [EMAIL PROTECTED] Whom computers would destroy, they must first drive mad. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Finding IP Addresses (OT)
Erik Nørgaard wrote: whois Lookup the ip with whois you'll get a network segment that has been delegated. You ISP may have multiple such segments, but it get's you further faster than finding individual ip's. Thanks. I also realized I should do the same for the Internet cafe I work at when the power's out. Since I live in the Dominican Republic (although bounce off a satellite that thinks I'm in the states), that's a little more problematic. What do you suggest? I tried these combinations with no luck: whois -c do verizon.net.do whois -d verizon.net.do TIA. beno ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Finding IP Addresses (OT)
beno wrote: Erik Nørgaard wrote: Lookup the ip with whois you'll get a network segment that has been delegated. You ISP may have multiple such segments, but it get's you further faster than finding individual ip's. Thanks. I also realized I should do the same for the Internet cafe I work at when the power's out. Since I live in the Dominican Republic (although bounce off a satellite that thinks I'm in the states), that's a little more problematic. What do you suggest? I tried these combinations with no luck: whois -c do verizon.net.do whois -d verizon.net.do I'd go for ip/network lookup and not domains as these are more geographically fixed. Also, you can't be certain to get all the ip's by doing domain lookup as some may not be included. I understand you want to restrict access to where you're likely to connect? Networks are delegated by IANA and local registries. Some are then delegated to national registries or directly to major corps. Major corps and regional registries can be found here: http://www.iana.org/assignments/ipv4-address-space but this only lists /8 netblocks. From each regional registry, you can download lists of the delegated network addresses. For the Dom. Rep. you should find your self under ARIN (www.arin.net), which includes US, ftp://ftp.arin.net/pub/stats/arin/delegated-arin-latest however, this doesn't show to whom it has been delageted. In the end, combining the different info should help you: You know one ip, check which block it belongs to that have been assigned by ARIN and use whois to verify. Cheers, Erik -- Ph: +34.666334818 web: http://www.locolomo.org X.509 Certificate: http://www.locolomo.org/crt/8D03551FFCE04F0C.crt Key ID: 69:79:B8:2C:E3:8F:E7:BE:5D:C3:C3:B1:74:62:B8:3F:9F:1F:69:B9 smime.p7s Description: S/MIME Cryptographic Signature
Re: Finding IP Addresses (OT)
Beno, I'm configuring my IP filter and I need to figure out what IP addresses I use (via SSH2) to contact my server. I'd advise you not to filter SSH by IP, that would be the best way to lock you out of your server. Even if you find all the IP used by your ISP, you cannot predict when the IP range will change, and it DOES change. If you limit the IP that can SSH to your server, you will not be able to login when you are traveling and some urgent administration task need to be performed. And the most urgent tasks must often be performed when traveling... Set a strong password to your account (8+ characters, using letters up and lower case, numbers and punctuation signs), do not allow SSH to root account, enforce using sudo instead of su. That's the best way in a long run. Olivier ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Finding IP Addresses (OT)
--On August 11, 2006 9:02:14 AM +0700 Olivier Nicole [EMAIL PROTECTED] wrote: Beno, I'm configuring my IP filter and I need to figure out what IP addresses I use (via SSH2) to contact my server. I'd advise you not to filter SSH by IP, that would be the best way to lock you out of your server. Even if you find all the IP used by your ISP, you cannot predict when the IP range will change, and it DOES change. If you limit the IP that can SSH to your server, you will not be able to login when you are traveling and some urgent administration task need to be performed. And the most urgent tasks must often be performed when traveling... You're making some assumptions that I don't think you can make. For example, I have a publicly accessible server at work that does not change IPs. So, even if nothing else will work, I can always get back in to my servers through that server. It's a form of a bastion host. Also, when I'm traveling, I can always get in through that server, so I never open up an IP from where I'm traveling. His situation may be similar, who knows. He may also be as paranoid as I am. :-) Set a strong password to your account (8+ characters, using letters up and lower case, numbers and punctuation signs), do not allow SSH to root account, enforce using sudo instead of su. All excellent suggestions, which he should implement, regardless of whether he also chooses to restrict access by IP. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas http://www.utdallas.edu/ir/security/
