Frank Duignan wrote:
>I was looking for something similar for the same reason - I had hoped to
>limit ssh access to clients from a particular country - apparently NTL screws
>things up for Ireland by using UK assigned IP addresses. Can you limit your
>whitelist to particular address and address ranges used by known ISP's?
>>On 6/7/05, Niall O Broin <niall at linux.ie> wrote:
>>>>Having finally become pissed off with thousands of ssh brute force
>>attacks a day, and being concerned that maybe one day one of them might
>>strike lucky, I set up blocking of ssh via iptables on the affected
>>server, with a whitelist of allowed addresses. Some fancy solutions
>>were pointed out on #linux, but the version of iptables available on
>>RHES 3 didn't support some necessary feature, so I went with more or
>>less my original idea, which was to have a REJECT rule in the INPUT
>>chain for new ssh connections, and then add an ACCEPT rule for for each
>>allowed address. The problem is that a number of the allowed addresses
>>are dynamic addresses e.g. with people who have cable modems or DSL
>>with dynamic IPs.
>>>>Has anyone come across a prepackaged way of handling that?
>>Conceptually, it's not that hard. You just maintain a list of the
>>allowed hostnames with their current IPs and on a regular basis, look
>>up the IPs again. If any have changed, you simply delete the
>>corresponding rule from the accept chain, using the old IP which you
>>have remembered, and insert a rule for the new IP. However, I imagine
>>I'm not the first one to have come across this problem, and I hate to
>>re-invent the wheel.
>>>>I did ask Uncle Google, but couldn't come up with the right question
>>(or maybe, there is no answer)
>>Irish Linux Users' Group
>>http://www.linux.ie/mailman/listinfo/ilug/>>>>>>>>I think He's talking about using the hostname to find the ip, so i'm
guessing dynamic dns or similiar is in use by the clients ?
In this fashion, i don't believe that the ip assignment would come into
play, as the requirement is to allow only specific ip, not known but
entire ranges, right ?
If you want cut out the dy-dns, i presume you have to pick some standard
way to have the clients let the server know their ip so an access rule
may be added...instead of the reverse querying. (like encrypted message
or some sort saying "here's my new ip" and repeat at intervals so you
don't get timed out ?)
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!