-
March 18th, 2005, 05:04 PM
#11
Why dont you use the MAC instead of hostname? (I realized hostname matching isnt gonna do much for an SSH packet, heh) easier to match on a per-packet basis. Something like:
iptables -A PREROUTING -m string --string 'y0:uR:MA:CA:dD:RR' -m tcp -p tcp --dport 22 -j ACCEPT
or something along those line...Then your IP woulndt matter, be nice with a laptop for sure.
-Maestr0
PS. Not sure if thats the right way to use --string, if you compile netfilter with that extension you can iptables -m string --help.
\"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier
-
March 30th, 2005, 05:02 PM
#12
Junior Member
iptables question rep
A question for a question, with the advent of SELinux in the 2.6 kernel, does this really much\k things up with iptables and the permissive or targeting policy?
-
March 30th, 2005, 05:06 PM
#13
Junior Member
iptables question rep
disregard my last post
-
April 26th, 2005, 04:39 AM
#14
Junior Member
I would open 22 through the firewall. Restrict your sshd to use DSA keys only. No root login of course. And make sure your latest openssh is compiled with --with-tcp-wrappers enabled.
This way you can simply vi /etc/hosts.allow add:
example
sshd: 192.168.4.0/29 yourname.com
This will give you local net access(optional) and give your domainname access. tcp wrapper will do an dns lookup and since you said your IP changes all the time but you will be using a dynamic dns updater. tcp wrapper will do an dns lookup providing of course that /etc/nsswitch.conf & /etc/resolv.conf has valid dns info...which im sure they do.
Plus you could add /etc/hosts.deny and put something like this to log failed attempts
ALL : ALL : spawn (/usr/bin/logger -p daemon.log WARNING! Attempt at %d from %c)&
~phatdee
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|