Our servers (all CentOS) are all restricted by IP but often i am out and about and stuck on a dynamic IP address. Using a DynDNS widget I have set this dynamic IP to always sync with a DynDNS hostname but how should i go about making this resolve to an IP in hosts.allow. For the moment i've written a cron script that runs every few minutes and checks the IP assigned to that hostname and writes the dynamic IP to hosts.allow but i'm not too keen on that as a solution. Is there a more elegant way i could be doing this?
Thanks.
The bellow script would ping your dynamic address and grab the ip only and then compare against the ip stored in last_ip.txt, if they are different the ip in hosts.allow will be removed and replaced with the new ip aswell as the ip in last_ip.txt.
You can then set this code on your crontab to run every 5 minutes or 10 or whatever you seem fit.
It is not as complex and might solve your problem...
My current solution for this is webknocking where I first make a request to a special web page (optionally with my user/pass) that opens up the SSH gates for the IP that I request from. This is how I ssh into some of my servers from my phone. This keeps the extra software involved to a minimum so I could sit down at some cafe computer and authorize it for standard ssh access in a few seconds, but keeps the intruders from even being able to play with my ssh port. A drawback of any knocking solution is the extra point of failure. My safety net is a few hard coded IP's that are allowed access and if something goes wrong with the knocking scripts or web server that handles them, I just have to use one of the other machines that has permanent access to get into and fix the broken box.
Alternatively some dynamic ip systems have "hooks" or "callbacks" that can be used to get an automated notification of IP address changes. This could be via email or an http request that could be used as a "knock". Alternitavly you could script this on the local end so that whenever your network scripts run or local IP changes, you automatically fire off some kind of knock or trigger that forces and update of dynamic ip access list.
I can understand your concern about 3rd parties playing with an open SSH port. I have solved this in a different manner. On my private server, the SSH port is open to everybody, but it is monitored by fail2ban, a smart little package available for debian (and probably most other distros, too). As soon as somebody fails to log in after 3 attempts from the same IP address, that address gets blocked in the firewall for several days.
Ever since I installed this, I had peace and quiet on my server. And I can still log in (using my key from a USB stick) from anywhere in the world.
If you are the only one logging in to that server, you could also do a simple port forward in the firewall or run sshd on a different port.
I'd suggest port knocking as an alternative, alternatively rent a ssh account on a 3rd party server and SSH from there.
I would approach this from a different way. Rather than having your servers each maintaining a list of whitelisted IPs, I would configure them all to only allow ssh from "internal" IPs. Then setup a separate gateway/landingpad host that you can VPN in to. Now, you can bounce through that box to reach the rest of the servers securely.
This limits your attack surface to a single box, instead of all of your boxes. Additionally, many/most VPN solutions allow you to enhance the security requirements for a connection, using certificates, two factor authentication, and other things along with (or instead of) simple passwords. All in all, this will give you greater security, greater flexibility, and much better maintainability.
There are a number of VPN options available (I'm a big fan of OpenVPN, myself) that you can use to properly setup a secure access point for your devices. Many of them are relatively easy to setup, and for a small setup like this, they require minimal resources.
ConfigServerFirewall has the functionality you desire. Once installed, you can check out this forum post for a good explanation.
My solution is to block all ssh-access in hosts.deny with
sshd: ALL
To allow the access from servers with a special (dynamic) domain I created a skript that turns a list of allowed domains in a list with IPs. This IP-list is included into the hosts.allow by adding following linefile: /etc/hosts.allow
The Source of the script looks like this:
file: /etc/ssh_dyn_allow/renew_allowed_ip_list.sh
The script is executed with a cronjob each 15 minutes.
The file with the allowed domains is text file with one domain per line looks like this
file: /etc/ssh_dyn_allow/allowed_domain.list
Advantages: