RE: ssh login protection

From: Tony Kava (securityfocus_at_pottcounty.com)
Date: 12/04/03

  • Next message: Fahr, Sam_at_HHSDC-SFIS: "RE: Ad-aware" 
    To: "'security-basics@securityfocus.com'" <security-basics@securityfocus.com>
Date: Thu, 4 Dec 2003 14:04:24 -0600

    -----Original Message-----
    > From: Burak Bilen [mailto:bilen@metu.edu.tr]
    > Sent: Wednesday, 03 December, 2003 05:35
    > To: Edmund
    > Subject: Re: ssh login protection
    >
    > You could try a two-tier approach. Put an external server(a Pentium-133
    > is enough) between your mail servers and the world.
    > Then allow ssh access(disabling root access) to this external server
    > from all of the world. And configure your mail servers that only the
    external server is able to ssh your mail servers.
    >
    > Edmund wrote:
    >
    > > Hi,
    > >
    > > I was wondering if someone could clarify something for me.
    > > I often ssh into two mail servers from dialup(thus dynamic
    > > ip) at home.
    > >
    > > Right now, I specify which IPs that can ssh into the two machines but
    > > for dynamic IPs, I can't do that unless I go crazy and allow
    > > xx.xx.xx.xx/16, which is not very secure. But due to the importance
    > > of me needing to ssh to the servers, I've been 'slacking' off the
    > > security and allowing a certain range of IPs (those that I'm
    > > certain are from my ISP at home).
    > > Can someone tell me if this is the appropriate way?
    > > Or do I allow any IPs from sshing?
    > >
    > > The reason why I'm asking is that I'll be taking
    > > a holiday and believe I'll also need to ssh to the
    > > mail servers. I don't know the IPs ahead of
    > > time since where I'll be staying, it'll also be
    > > dynamically assigned.
    > >
    > > Is there a solution to this problem? I don't
    > > want to open the servers to attacks from any
    > > SSH-related issues that crackers would take
    > > advantage of.

    There is another way to work around these issues. If you setup that single
    SSH machine that still means you'll have to have a machine left open, and
    since it can access the other machines it may serve a potential intruder
    just as easily as it would serve you. I personally would not recommend
    exposing SSH on any public IP address. You would be better to setup some
    form of encrypted tunnel (even CIPE or OpenVPN would work) from your home to
    work, and then you can SSH through the tunnel to these machines across your
    LAN.

    Of course you will still have to resolve the dynamic IP issue. Both CIPE
    and OpenVPN (for example) can work with a dynamic client, and your key would
    be the method of authentication. I would not personally rely only on a key
    for authentication so I would generally lock down the tunnel to a specific
    IP address, but this brings you to your other issue of having a dynamic IP.

    You may find that using a dynamic DNS host would be a good way to work
    around your changing IP address. You could use, for example, cjb.net. They
    have a free dynamic DNS service, and there are good clients for both Windows
    and Linux. If you have a Linux machine at home you can setup a cronjob to
    update your dynamic DNS hostname at cjb.net every fifteen minutes or so. If
    you're creative you could easily script this to update only when your
    address changes.

    The next step would be to allow connections from your dynamic DNS hostname
    to either a tunnel (better option) or to your SSH daemon. I'm not sure if
    TCP wrappers will let you ALLOW a hostname in place of an IP address. There
    may be an issue if your IP has to reverse resolve to the allowed hostname.
    If you can't ALLOW a hostname then you could setup another simple script
    (I'm a Perl fan, I guess that's becoming evident) to resolve your dynamic
    hostname and put the IP it resolves to into your hosts.allow file.

    Basically:

    Use dynamic DNS to work around your dynamic IP address
    Use a tunnel to get secure access to your network from remote

    If you can do this then you can limit your SSH daemon to only accept
    internal connection (i.e. internal or through the tunnel). The dynamic DNS
    would work while you are away on holiday as well.

    This is just one idea. I like this sort of approach better than leaving
    anything wide open. 

    --
Tony Kava
Network Administrator
Pottawattamie County, Iowa
---------------------------------------------------------------------------
----------------------------------------------------------------------------
  • Next message: Fahr, Sam_at_HHSDC-SFIS: "RE: Ad-aware"

    Relevant Pages

    • Re: Sending email to dial up Linux box
      ... > At time of writing I could ssh in so that really is me. ... When you use IP instead of hostname (or want ... It might be easier if you set up dynamic DNS. ... you have no static interface, use an extra loopback IP like 127.0.0.2. ...
      (comp.os.linux.networking)
    • ssh login protection
      ... I often ssh into two mail servers from dialup(thus dynamic ... I specify which IPs that can ssh into the two ...
      (Security-Basics)
    • RE: ssh login protection
      ... Install and configure FreeS/Wan to accept road-warrior connections. ... you can easily ssh into the box over the vpn. ... I often ssh into two mail servers from dialup(thus dynamic ... I specify which IPs that can ssh into the two ...
      (Security-Basics)
    • Re: ssh login protection
      ... is enough) between your mail servers and the world. ... Then allow ssh access(disabling root access) to this external server ... > machines but for dynamic IPs, I can't do that unless I ...
      (Security-Basics)
    • Re: ssh and dhcp interactions?
      ... | with that name is it gonna complain? ... SSH has to take into consideration that a hostname can have multiple IP ... you will obviously have to change what you refer to. ...
      (comp.security.ssh)