Security Basics mailing list archives
RE: ssh login protection
From: "Shawn Jackson" <sjackson () horizonusa com>
Date: Tue, 2 Dec 2003 10:07:36 -0800
A while ago there was a 'Dynamic Hostname' solution. I believe it was called DynDNS. I've heard these services are still around, and a couple of buds use one for their ADSL (PPPoE) service to maintain a single address (whatever.someservice.com) even though their IP changes. After searching google my first hit was (http://www.dtdns.com/index.cfm?fuseaction=info.hosts) you could use a solution like that then just allow that hostname to gain access. Another solution is to get a shell account at RootShell or SDF (my favorite http://sdf.lonestar.org/). Then allow SSH from that server to yours. Personally I have a shell acct at a local ISP here in Reno (www.gbis.com) and just allow connections from their server IP addy. Shawn Jackson Systems Administrator Horizon USA 1190 Trademark Dr #107 Reno NV 89521 www.horizonusa.com Email: sjackson () horizonusa com Phone: (775) 858-2338 (800) 325-1199 x338 -----Original Message----- From: Edmund [mailto:cc () belfordhk com] Sent: Monday, December 01, 2003 7:17 PM To: security-basics () securityfocus com Subject: ssh login protection Hi, I was wondering if someone could clarify something for me. I often ssh into two mail servers from dialup(thus dynamic ip) at home. Right now, I specify which IPs that can ssh into the two machines but for dynamic IPs, I can't do that unless I go crazy and allow xx.xx.xx.xx/16, which is not very secure. But due to the importance of me needing to ssh to the servers, I've been 'slacking' off the security and allowing a certain range of IPs (those that I'm certain are from my ISP at home). Can someone tell me if this is the appropriate way? Or do I allow any IPs from sshing? The reason why I'm asking is that I'll be taking a holiday and believe I'll also need to ssh to the mail servers. I don't know the IPs ahead of time since where I'll be staying, it'll also be dynamically assigned. Is there a solution to this problem? I don't want to open the servers to attacks from any SSH-related issues that crackers would take advantage of. Any help appreciated ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- ssh login protection Edmund (Dec 02)
- Re: ssh login protection Andreas Schubert (Dec 02)
- Re: ssh login protection Burak Bilen (Dec 03)
- <Possible follow-ups>
- RE: ssh login protection Shawn Jackson (Dec 02)
- RE: ssh login protection LordInfidel (Dec 03)
- RE: ssh login protection Tony Kava (Dec 04)