Security Basics mailing list archives

RE: ssh login protection

From: "Shawn Jackson" <sjackson () horizonusa com>
Date: Tue, 2 Dec 2003 10:07:36 -0800


        A while ago there was a 'Dynamic Hostname' solution. I believe
it was called DynDNS. I've heard these services are still around, and a
couple of buds use one for their ADSL (PPPoE) service to maintain a
single address (whatever.someservice.com) even though their IP changes.
After searching google my first hit was
(http://www.dtdns.com/index.cfm?fuseaction=info.hosts) you could use a
solution like that then just allow that hostname to gain access. Another
solution is to get a shell account at RootShell or SDF (my favorite
http://sdf.lonestar.org/). Then allow SSH from that server to yours.
Personally I have a shell acct at a local ISP here in Reno
(www.gbis.com) and just allow connections from their server IP addy.

Shawn Jackson
Systems Administrator
Horizon USA
1190 Trademark Dr #107
Reno NV 89521
www.horizonusa.com
 
Email: sjackson () horizonusa com
Phone: (775) 858-2338
       (800) 325-1199 x338

-----Original Message-----
From: Edmund [mailto:cc () belfordhk com] 
Sent: Monday, December 01, 2003 7:17 PM
To: security-basics () securityfocus com
Subject: ssh login protection

Hi,

I was wondering if someone could clarify something for me.
I often ssh into two mail servers from dialup(thus dynamic
ip) at home.

Right now, I specify which IPs that can ssh into the two
machines but for dynamic IPs, I can't do that unless I
go crazy and allow xx.xx.xx.xx/16, which is not very
secure.  But due to the importance of me needing to ssh
to the servers, I've been 'slacking' off the security
and allowing a certain range of IPs (those that I'm
certain are from my ISP at home).
Can someone tell me if this is the appropriate way?
Or do I allow any IPs from sshing?


The reason why I'm asking is that I'll be taking
a holiday and believe I'll also need to ssh to the
mail servers.   I don't know the IPs ahead of
time since where I'll be staying, it'll also be
dynamically assigned.

Is there a solution to this problem?  I don't
want to open the servers to attacks from any
SSH-related issues that crackers would take
advantage of.

Any help appreciated





------------------------------------------------------------------------
---
------------------------------------------------------------------------
----


---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

ssh login protection Edmund (Dec 02)
- Re: ssh login protection Andreas Schubert (Dec 02)
- Re: ssh login protection Burak Bilen (Dec 03)
- <Possible follow-ups>
- RE: ssh login protection Shawn Jackson (Dec 02)
- RE: ssh login protection LordInfidel (Dec 03)
- RE: ssh login protection Tony Kava (Dec 04)