Dynamic DNS

Dynamic DNS

[Sebastian Docktor]

Hi,

I want to allow a Dynamic DNS Client to Access the SSH-Server 
on my Firewall. But I don't want to open SSH for all IPs,
Is it possible that iptables always looks up the ip address from the 
hostname, so that only the ip has access which is registrated under
the dyndns?


-- 
Sebastian Docktor <sebi@tux-labor.de>

Re: Dynamic DNS

[Brent Clark]

Sebastian Docktor wrote:
> Hi,
> 
> I want to allow a Dynamic DNS Client to Access the SSH-Server 
> on my Firewall. But I don't want to open SSH for all IPs,
> Is it possible that iptables always looks up the ip address from the 
> hostname, so that only the ip has access which is registrated under
> the dyndns?
> 
> 

Hi

This may be a ridiculous suggestion.

How about basing it on MAC address.

Stupid I know.

Buts all I could think off.

Brent Clark

Re: Dynamic DNS

[Kenneth Kalmer]

On Wed, 09 Mar 2005 08:29:23 +0200, Brent Clark
<bclark@eccotours.dyndns.org> wrote:
> Sebastian Docktor wrote:
> > Hi,
> >
> > I want to allow a Dynamic DNS Client to Access the SSH-Server
> > on my Firewall. But I don't want to open SSH for all IPs,
> > Is it possible that iptables always looks up the ip address from the
> > hostname, so that only the ip has access which is registrated under
> > the dyndns?
> >
> >
> 
> Hi
> 
> This may be a ridiculous suggestion.
> 
> How about basing it on MAC address.
> 
> Stupid I know.
> 
> Buts all I could think off.
> 
> Brent Clark
> 
> 

I'm not too sure either, but I do know that iptables resolve the names
the moment the rule is added, not again. Unless you run the rule every
minute to make sure it's updated constantly.

Can't you setup SSHD to only allow connections from certain hosts?
Then again sshd might use the reverse lookup of the ip, which isn't
always the dyndns name...

Will you let us know how you achieve this?


-- 

Kenneth Kalmer
kenneth.kalmer@gmail.com
http://opensourcery.blogspot.com

Re: Dynamic DNS

[R. DuFresne]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 9 Mar 2005, Kenneth Kalmer wrote:

> On Wed, 09 Mar 2005 08:29:23 +0200, Brent Clark
> <bclark@eccotours.dyndns.org> wrote:
>> Sebastian Docktor wrote:
>>> Hi,
>>>
>>> I want to allow a Dynamic DNS Client to Access the SSH-Server
>>> on my Firewall. But I don't want to open SSH for all IPs,
>>> Is it possible that iptables always looks up the ip address from the
>>> hostname, so that only the ip has access which is registrated under
>>> the dyndns?
>>>
>>>
>>
>> Hi
>>
>> This may be a ridiculous suggestion.
>>
>> How about basing it on MAC address.
>>
>> Stupid I know.
>>
>> Buts all I could think off.
>>
>> Brent Clark
>>
>>
>
> I'm not too sure either, but I do know that iptables resolve the names
> the moment the rule is added, not again. Unless you run the rule every
> minute to make sure it's updated constantly.
>
> Can't you setup SSHD to only allow connections from certain hosts?
> Then again sshd might use the reverse lookup of the ip, which isn't
> always the dyndns name...
>
> Will you let us know how you achieve this?
>
>

Most systems, at least linux based dists now have ssh compiled with tcpd 
support <also, ssh did, and still should have an acce3ss list allowed in 
the sshd_config file, unless that was removed in openssh due to the tcpd 
issues>, so the way I might deal with this is to only allow the dynamic 
apddress space through via a hosts.allow file with a default deny all in 
hosts.deny for sshd. Actually, since all the access to/through my firewall 
comes from static IP's, I do this in both tcpd and iptables with a list of 
allowed hosts at present and in the recent past.  This give me two layers 
of protection should the firewall be taken down, or not comeup and all 
that.


This issue is easiest if you know up front what the dyn address space 
consits of <you control the dynaic address space>, it is tougher if one 
has to guess at the low and top ends of what addresses might get passed to 
systems on boot.

Thanks,

Ron DuFresne
- -- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
         admin & senior security consultant:  sysinfo.com
                         http://sysinfo.com

...Love is the ultimate outlaw.  It just won't adhere to rules.
The most any of us can do is sign on as it's accomplice.  Instead
of vowing to honor and obey, maybe we should swear to aid and abet.
That would mean that security is out of the question.  The words
"make" and "stay" become inappropriate.  My love for you has no
strings attached.  I love you for free...
                         -Tom Robins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFCL3o0st+vzJSwZikRAu5RAJ9eOStR8ujT7TFthrJ2SXmElndCrACgyjFt
jm3SWenK9jyHU1NQ7xHNLA0=
=TXR9
-----END PGP SIGNATURE-----

Re: Dynamic DNS

[Jose Maria Lopez Hernandez]

El mié, 09-03-2005 a las 07:25 +0100, Sebastian Docktor escribió:
> Hi,
> 
> I want to allow a Dynamic DNS Client to Access the SSH-Server 
> on my Firewall. But I don't want to open SSH for all IPs,
> Is it possible that iptables always looks up the ip address from the 
> hostname, so that only the ip has access which is registrated under
> the dyndns?

I don't understand your problem. If you know your IP you can block
based on that IP. DNS, dynamic or not, has nothing to do with that.
Just everytime you change your IP use the scripts used to to that
to update the iptables rules, it can be even done if you are using
DHCP to get the IP.

Regards.

-- 

Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
jkerouac@bgsec.com
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPAÑA

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
                -- Jack Kerouac, "On the Road"

Re: Dynamic DNS

[Nick Drage]

On Wed, Mar 09, 2005 at 10:07:22AM +0100, Jose Maria Lopez Hernandez wrote:
> El mié, 09-03-2005 a las 07:25 +0100, Sebastian Docktor escribió:

> > I want to allow a Dynamic DNS Client to Access the SSH-Server on my
> > Firewall. But I don't want to open SSH for all IPs, Is it possible
> > that iptables always looks up the ip address from the hostname, so
> > that only the ip has access which is registrated under the dyndns?
> 
> I don't understand your problem. If you know your IP you can block
> based on that IP.

The OP's problem is that the DNS will stay the same, say
hostname.dyndns.net, but that the IP address associated with that name
will change.  So as soon as the IP address changes, his rulebase is out
of date.

> DNS, dynamic or not, has nothing to do with that.  Just everytime you
> change your IP use the scripts used to to that to update the iptables
> rules, it can be even done if you are using DHCP to get the IP.

This means the rulebase administrator has to know when the IP address
changes and has to be able to run the script to deal with that change.
And if the change is to *their* IP address, that means they can no
longer access their firewall host.

Sebastian, I'd suggest two solutions, the easy one is to run your
firewall script every minute, or two minutes, or five minutes, whatever
suits.  That way your firewall will look up the IP address for the
hostname and change its rulebase accordingly.

The harder but more elegant solution is to write a script in your
favourite programming language that does the following:

look up IP address for hostname.dyndns.net
write that IP address to a file
start an infinite loop here
wait for a period of time
look up IP address for hostname.dyndns.net
if the IP address matches that in the file, do nothing
otherwise do the following:
     - write the new IP address to a file
     - run the firewall script again
go back to the beginning of the infinite loop

And seeing as its sshd, watch hosts.allow and your sshd_config as well.

-- 
http://www.bash.org/?quote=29355

Re: Dynamic DNS

[Jose Maria Lopez Hernandez]

El mié, 09-03-2005 a las 10:35 +0000, Nick Drage escribió:
> On Wed, Mar 09, 2005 at 10:07:22AM +0100, Jose Maria Lopez Hernandez wrote:
> > El mié, 09-03-2005 a las 07:25 +0100, Sebastian Docktor escribió:
> 
> > > I want to allow a Dynamic DNS Client to Access the SSH-Server on my
> > > Firewall. But I don't want to open SSH for all IPs, Is it possible
> > > that iptables always looks up the ip address from the hostname, so
> > > that only the ip has access which is registrated under the dyndns?
> > 
> > I don't understand your problem. If you know your IP you can block
> > based on that IP.
> 
> The OP's problem is that the DNS will stay the same, say
> hostname.dyndns.net, but that the IP address associated with that name
> will change.  So as soon as the IP address changes, his rulebase is out
> of date.

You are right. I didn't read the post well, I was thinking *he* was
the one with the dynamic IP, now I see it's the client to his
server who has it. That's a real problem, now I realize.

Sorry and regards.

-- 

Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
jkerouac@bgsec.com
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPAÑA

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
                -- Jack Kerouac, "On the Road"

Re: Dynamic DNS

[Sebastian Docktor]

[-- Attachment #1: Type: text/plain, Size: 3059 bytes --]

Hi,

I've written a bash Skript, which do that.
I know that this configuration ist not really Secure.

I do this what Nick Drage said:
> look up IP address for hostname.dyndns.net
> write that IP address to a file
> start an infinite loop here
> wait for a period of time
> look up IP address for hostname.dyndns.net
> if the IP address matches that in the file, do nothing
> otherwise do the following:
>      - write the new IP address to a file
>      - run the firewall script again
> go back to the beginning of the infinite loop

maybe somebody can look at the Skript and give me a feedback.
(I attached it)

Before the Skript starts, you have to add a rule like this
(In your normal Firewall Skript)

iptables -N $rulename 
iptables -A INPUT --destination $ext_ip -i ppp0 -j $rulename


sebi

On Wed, Mar 09, 2005 at 10:35:43AM +0000, Nick Drage wrote:
> On Wed, Mar 09, 2005 at 10:07:22AM +0100, Jose Maria Lopez Hernandez wrote:
> > El mi?, 09-03-2005 a las 07:25 +0100, Sebastian Docktor escribi?:
> 
> > > I want to allow a Dynamic DNS Client to Access the SSH-Server on my
> > > Firewall. But I don't want to open SSH for all IPs, Is it possible
> > > that iptables always looks up the ip address from the hostname, so
> > > that only the ip has access which is registrated under the dyndns?
> > 
> > I don't understand your problem. If you know your IP you can block
> > based on that IP.
> 
> The OP's problem is that the DNS will stay the same, say
> hostname.dyndns.net, but that the IP address associated with that name
> will change.  So as soon as the IP address changes, his rulebase is out
> of date.
> 
> > DNS, dynamic or not, has nothing to do with that.  Just everytime you
> > change your IP use the scripts used to to that to update the iptables
> > rules, it can be even done if you are using DHCP to get the IP.
> 
> This means the rulebase administrator has to know when the IP address
> changes and has to be able to run the script to deal with that change.
> And if the change is to *their* IP address, that means they can no
> longer access their firewall host.
> 
> Sebastian, I'd suggest two solutions, the easy one is to run your
> firewall script every minute, or two minutes, or five minutes, whatever
> suits.  That way your firewall will look up the IP address for the
> hostname and change its rulebase accordingly.
> 
> The harder but more elegant solution is to write a script in your
> favourite programming language that does the following:
> 
> look up IP address for hostname.dyndns.net
> write that IP address to a file
> start an infinite loop here
> wait for a period of time
> look up IP address for hostname.dyndns.net
> if the IP address matches that in the file, do nothing
> otherwise do the following:
>      - write the new IP address to a file
>      - run the firewall script again
> go back to the beginning of the infinite loop
> 
> And seeing as its sshd, watch hosts.allow and your sshd_config as well.
> 
> -- 
> http://www.bash.org/?quote=29355
> 
> 

-- 
Sebastian Docktor <sebi@tux-labor.de>

[-- Attachment #2: update-netfilter-rule.sh --]
[-- Type: application/x-sh, Size: 3143 bytes --]

Re: Dynamic DNS

[Maxime Ducharme]

Hello Sebastian

Suggestion :

1. create script for this :


check_ssh_dyndns.sh
##############################
# delete rule (if it existed)
iptables -t filter -D CHECK_SSH_DYNDNS

# re-create rule
iptables -t filter -N CHECK_SSH_DYNDNS

# read the DynDNS ip
theHost=`host a.dyndns.org |awk '{print $4}'`

# Add it to allowed SSH
iptables -t filter -A CHECK_SSH_DYNDNS -p tcp --dport 22 -s $theHost
##############################


In your firewall script call this script
./check_ssh_dyndns.sh



In crontab, run this script every 5 mins (default
DynDNS TTL). It will keep your dyndns host in the
rules up to date.

*** note that this script may need adujstement, i didnt
tested it, I'm sending an idea

HTH

Maxime Ducharme
Programmeur / Spécialiste en sécurité réseau

----- Original Message ----- 
From: "Sebastian Docktor" <sebi@tux-labor.de>
To: <netfilter@lists.netfilter.org>
Sent: Wednesday, March 09, 2005 1:25 AM
Subject: Dynamic DNS


> Hi,
>
> I want to allow a Dynamic DNS Client to Access the SSH-Server
> on my Firewall. But I don't want to open SSH for all IPs,
> Is it possible that iptables always looks up the ip address from the
> hostname, so that only the ip has access which is registrated under
> the dyndns?
>
>
> -- 
> Sebastian Docktor <sebi@tux-labor.de>
>

Re: Dynamic DNS

[Maxime Ducharme]

Forgot something important

you must add a jump from INPUT to the new
rule

iptables -A INPUT -j CHECK_SSH_DYNDNS

so the rule become active :)

also : add -m state --state NEW to CHECK_SSH_DYNDNS

HTH

Maxime Ducharme
Programmeur / Spécialiste en sécurité réseau

----- Original Message ----- 
From: "Maxime Ducharme" <mducharme@cybergeneration.com>
To: "Sebastian Docktor" <sebi@tux-labor.de>; <netfilter@lists.netfilter.org>
Sent: Wednesday, March 09, 2005 10:17 AM
Subject: Re: Dynamic DNS


>
> Hello Sebastian
>
> Suggestion :
>
> 1. create script for this :
>
>
> check_ssh_dyndns.sh
> ##############################
> # delete rule (if it existed)
> iptables -t filter -D CHECK_SSH_DYNDNS
>
> # re-create rule
> iptables -t filter -N CHECK_SSH_DYNDNS
>
> # read the DynDNS ip
> theHost=`host a.dyndns.org |awk '{print $4}'`
>
> # Add it to allowed SSH
> iptables -t filter -A CHECK_SSH_DYNDNS -p tcp --dport 22 -s $theHost
> ##############################
>
>
> In your firewall script call this script
> ./check_ssh_dyndns.sh
>
>
>
> In crontab, run this script every 5 mins (default
> DynDNS TTL). It will keep your dyndns host in the
> rules up to date.
>
> *** note that this script may need adujstement, i didnt
> tested it, I'm sending an idea
>
> HTH
>
> Maxime Ducharme
> Programmeur / Spécialiste en sécurité réseau
>
> ----- Original Message ----- 
> From: "Sebastian Docktor" <sebi@tux-labor.de>
> To: <netfilter@lists.netfilter.org>
> Sent: Wednesday, March 09, 2005 1:25 AM
> Subject: Dynamic DNS
>
>
> > Hi,
> >
> > I want to allow a Dynamic DNS Client to Access the SSH-Server
> > on my Firewall. But I don't want to open SSH for all IPs,
> > Is it possible that iptables always looks up the ip address from the
> > hostname, so that only the ip has access which is registrated under
> > the dyndns?
> >
> >
> > -- 
> > Sebastian Docktor <sebi@tux-labor.de>
> >
>

Re: Dynamic DNS

[Jason Opperisano]

On Wed, Mar 09, 2005 at 10:17:07AM -0500, Maxime Ducharme wrote:
> 
> Hello Sebastian
> 
> Suggestion :
> 
> 1. create script for this :
> 
> 
> check_ssh_dyndns.sh
> ##############################
> # delete rule (if it existed)
> iptables -t filter -D CHECK_SSH_DYNDNS
> 
> # re-create rule
> iptables -t filter -N CHECK_SSH_DYNDNS
> 
> # read the DynDNS ip
> theHost=`host a.dyndns.org |awk '{print $4}'`
> 
> # Add it to allowed SSH
> iptables -t filter -A CHECK_SSH_DYNDNS -p tcp --dport 22 -s $theHost
> ##############################
> 
> 
> In your firewall script call this script
> ./check_ssh_dyndns.sh
> 
> 
> 
> In crontab, run this script every 5 mins (default
> DynDNS TTL). It will keep your dyndns host in the
> rules up to date.
> 
> *** note that this script may need adujstement, i didnt
> tested it, I'm sending an idea

the theory is there--the implementation is missing some fine points:

in the normal iptables script file:

  iptables -N DynSSH
  iptables -A INPUT -i $EXT_IF -p tcp --syn --dport 22 -j DynSSH

none if the above needs to ever change.

now--in the cronjob:

  {logic to detect a change in the src host's IP address}
  iptables -F DynSSH
  iptables -A DynSSH -s $DYNHOST -j ACCEPT

HTH...

-j

--
"My cat's breath smells like cat food."
        --The Simpsons

Re: Dynamic DNS

[Maxime Ducharme]

Thx Jason for the clarification :)

Obviously this script need a major update
to fit systems.

I'd also add a function that would log
the last IP found

when crond activates, there should have a test
which checks if the IPs has changed. If yes,
reconstruct the rules.

anyone with more ideas ?

Maxime Ducharme
Programmeur / Spécialiste en sécurité réseau


----- Original Message ----- 
From: "Jason Opperisano" <opie@817west.com>
To: <netfilter@lists.netfilter.org>
Sent: Wednesday, March 09, 2005 2:34 PM
Subject: Re: Dynamic DNS


> On Wed, Mar 09, 2005 at 10:17:07AM -0500, Maxime Ducharme wrote:
> >
> > Hello Sebastian
> >
> > Suggestion :
> >
> > 1. create script for this :
> >
> >
> > check_ssh_dyndns.sh
> > ##############################
> > # delete rule (if it existed)
> > iptables -t filter -D CHECK_SSH_DYNDNS
> >
> > # re-create rule
> > iptables -t filter -N CHECK_SSH_DYNDNS
> >
> > # read the DynDNS ip
> > theHost=`host a.dyndns.org |awk '{print $4}'`
> >
> > # Add it to allowed SSH
> > iptables -t filter -A CHECK_SSH_DYNDNS -p tcp --dport 22 -s $theHost
> > ##############################
> >
> >
> > In your firewall script call this script
> > ./check_ssh_dyndns.sh
> >
> >
> >
> > In crontab, run this script every 5 mins (default
> > DynDNS TTL). It will keep your dyndns host in the
> > rules up to date.
> >
> > *** note that this script may need adujstement, i didnt
> > tested it, I'm sending an idea
>
> the theory is there--the implementation is missing some fine points:
>
> in the normal iptables script file:
>
>   iptables -N DynSSH
>   iptables -A INPUT -i $EXT_IF -p tcp --syn --dport 22 -j DynSSH
>
> none if the above needs to ever change.
>
> now--in the cronjob:
>
>   {logic to detect a change in the src host's IP address}
>   iptables -F DynSSH
>   iptables -A DynSSH -s $DYNHOST -j ACCEPT
>
> HTH...
>
> -j
>
> --
> "My cat's breath smells like cat food."
>         --The Simpsons
>

Re: Dynamic DNS

[Steven M Campbell]

Sebastian Docktor wrote:

>Hi,
>
>I want to allow a Dynamic DNS Client to Access the SSH-Server 
>on my Firewall. But I don't want to open SSH for all IPs,
>Is it possible that iptables always looks up the ip address from the 
>hostname, so that only the ip has access which is registrated under
>the dyndns?
>
>  
>

IMO, it's a very bad idea to lower the security of iptables firewall by 
making it dependent on DNS for any portion of authorization 
certification.  DNS isn't exactly known for it's stellar security :)   
Allow me to suggest an alternate path.  Use RSA keyfiles and disallow 
ssh password authentication, this way you can leave the port open but 
user's without public keys installed on the server cannot gain access.  
Generally speaking DNS should have nothing to do with anyone's firewall 
because DNS would then become the weak link in the security chain and 
SSH has methods that are better applied to these needs.

Re: Dynamic DNS

[Steven M Campbell]

Steven M Campbell wrote:

> Sebastian Docktor wrote:
>
>> Hi,
>>
>> I want to allow a Dynamic DNS Client to Access the SSH-Server on my 
>> Firewall. But I don't want to open SSH for all IPs,
>> Is it possible that iptables always looks up the ip address from the 
>> hostname, so that only the ip has access which is registrated under
>> the dyndns?
>>
>>
>>
>
> IMO, it's a very bad idea to lower the security of iptables firewall 
> by making it dependent on DNS for any portion of authorization 
> certification. DNS isn't exactly known for it's stellar security :) 
> Allow me to suggest an alternate path. Use RSA keyfiles and disallow 
> ssh password authentication, this way you can leave the port open but 
> user's without public keys installed on the server cannot gain access. 
> Generally speaking DNS should have nothing to do with anyone's 
> firewall because DNS would then become the weak link in the security 
> chain and SSH has methods that are better applied to these needs.
>
>
A quick look at the sshd_config man pages reveals

AllowUsers
This keyword can be followed by a list of user name patterns, separated 
by spaces. If specified, login is
allowed only for user names that match one of the patterns. ‘*’ and ‘?’ 
can be used as wildcards in the pat‐
terns. Only user names are valid; a numerical user ID is not recognized. 
By default, login is allowed for
all users. If the pattern takes the form USER@HOST then USER and HOST 
are separately checked, restricting
logins to particular users from particular hosts.

Sorry for straying off the topic folks, I think you might care to take 
this route.

Re: Dynamic DNS

[R. DuFresne]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 9 Mar 2005, Steven M Campbell wrote:

> Sebastian Docktor wrote:
>
>> Hi,
>> 
>> I want to allow a Dynamic DNS Client to Access the SSH-Server on my 
>> Firewall. But I don't want to open SSH for all IPs,
>> Is it possible that iptables always looks up the ip address from the 
>> hostname, so that only the ip has access which is registrated under
>> the dyndns?
>> 
>> 
>
> IMO, it's a very bad idea to lower the security of iptables firewall by 
> making it dependent on DNS for any portion of authorization certification. 
> DNS isn't exactly known for it's stellar security :)   Allow me to suggest an 
> alternate path.  Use RSA keyfiles and disallow ssh password authentication, 
> this way you can leave the port open but user's without public keys installed 
> on the server cannot gain access.  Generally speaking DNS should have nothing 
> to do with anyone's firewall because DNS would then become the weak link in 
> the security chain and SSH has methods that are better applied to these 
> needs.
>

Ahh, but this closes one sec loophole and pens another, sshd, which has 
gotten hit with quite a few sec issues.  Keeping the sshd port closed to 
the outside except a few 'special' systems makes the likelyhood of a 
system compromise due to sshd extremely unlikely.

Thanks,

Ron DuFresne
- -- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
         admin & senior security consultant:  sysinfo.com
                         http://sysinfo.com

...Love is the ultimate outlaw.  It just won't adhere to rules.
The most any of us can do is sign on as it's accomplice.  Instead
of vowing to honor and obey, maybe we should swear to aid and abet.
That would mean that security is out of the question.  The words
"make" and "stay" become inappropriate.  My love for you has no
strings attached.  I love you for free...
                         -Tom Robins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFCL33gst+vzJSwZikRAtEuAJ4gVtsQ/B9jJ0XQx9QDxiuC9uZKZgCdFT6z
+lEHGPgPPq0GcxqMu7Da/f0=
=8naU
-----END PGP SIGNATURE-----

Re: Dynamic DNS

[Steven M Campbell]

R. DuFresne wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Thu, 10 Mar 2005, Steven M Campbell wrote:
>
>> R. DuFresne wrote:
>>
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> On Wed, 9 Mar 2005, Steven M Campbell wrote:
>>>
>>>> Sebastian Docktor wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> I want to allow a Dynamic DNS Client to Access the SSH-Server on 
>>>>> my Firewall. But I don't want to open SSH for all IPs,
>>>>> Is it possible that iptables always looks up the ip address from 
>>>>> the hostname, so that only the ip has access which is registrated 
>>>>> under
>>>>> the dyndns?
>>>>>
>>>>>
>>>>
>>>> IMO, it's a very bad idea to lower the security of iptables 
>>>> firewall by making it dependent on DNS for any portion of 
>>>> authorization certification. DNS isn't exactly known for it's 
>>>> stellar security :) Allow me to suggest an alternate path.  Use RSA 
>>>> keyfiles and disallow ssh password authentication, this way you can 
>>>> leave the port open but user's without public keys installed on the 
>>>> server cannot gain access. Generally speaking DNS should have 
>>>> nothing to do with anyone's firewall because DNS would then become 
>>>> the weak link in the security chain and SSH has methods that are 
>>>> better applied to these needs.
>>>>
>>>
>>> Ahh, but this closes one sec loophole and pens another, sshd, which 
>>> has gotten hit with quite a few sec issues.  Keeping the sshd port 
>>> closed to the outside except a few 'special' systems makes the 
>>> likelyhood of a system compromise due to sshd extremely unlikely.
>>>
>>> Thanks,
>>>
>>> Ron DuFresne
>>> - -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>>         admin & senior security consultant:  sysinfo.com
>>>                         http://sysinfo.com
>>>
>> I underscore my statement that it also reduces the effectiveness of 
>> the firewall by introducing the security challanged dynamic dns as an 
>> authentication model and possibly introducing new attacks based on 
>> the extension.   It is telling that, even though this is a fairly 
>> easy extension to implement, no one in the firewall marketplace does 
>> this and, IMO, for good reason.  In the specific case of the original 
>> poster I would:  Use ip tables to lock down access to the subnets 
>> where this dynamic device could appear and then use the SSH auth 
>> mechanism to deal with the hostname lookup and, as always, keep my 
>> applications (like SSH) up to date... or, even better, if I really 
>> want to call that client a secured host lock down it's address. For 
>> an internet based host a good port-knocking would fair far better 
>> than trusting dns.
>>
>
> That's not my disagreement.  I'd not rely upon DNS, yet I would not 
> leave sshd open not directly to the firewall, nor likely through it, 
> except to specific IP's, and those likely have to be static.  I missed 
> till a reread that you advised controls via sshd <and in most cases 
> tcpd as well>, which was my push in the thread, seems we agreeed all 
> along and I missed that <smile>.
>
> Thanks,
>
> Ron DuFresne
> - -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>         admin & senior security consultant:  sysinfo.com
>                         http://sysinfo.com

Yes, we both agree the best place to put the effort here would be to 
limit the ip address on that client machine, lock down to that address 
set and do what one can to keep sshd secured.   Using Dynamic DNS to 
determine who can gain access to ones firewall is like putting key under 
the front door mat.

RE: Dynamic DNS

[Sietse van Zanen]

Hi,

You are indeed right. Though I have definitely enabled FXP in my ftp
server, I see iptables dropping the active connections the server makes
to the remote server. 

The FXP client displays:
PORT command ok
Time-out opening connection.

When I do some tcpdumping, I can see the PORT command being sent. The
ftp server tries to open a connection, but packets get dropped because
they're UNRELATED to the ftp connection (probably due to PORT command
containing different IP then client).
Now I have only a couple of people on the ftp server in my DMZ. So I
could very easily configure the server to use a range of say 100 ports
for active ftp connections and open them up to the outside world. It
would however be much neater to have iptables connection tracking allow
the fxp connections.
That's why I just need a yes / no answer on the question. Any
developpers here, that can tell, or should I rather contact RedHat, to
ask how they compiled iptables?

Thanks for the answer so far.

-----Original Message-----
From: netfilter-bounces@lists.netfilter.org
[mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Kenneth
Kalmer
Sent: Wednesday, March 09, 2005 9:04 AM
To: Brent Clark
Cc: netfilter@lists.netfilter.org
Subject: Re: Dynamic DNS

On Wed, 09 Mar 2005 08:29:23 +0200, Brent Clark
<bclark@eccotours.dyndns.org> wrote:
> Sebastian Docktor wrote:
> > Hi,
> >
> > I want to allow a Dynamic DNS Client to Access the SSH-Server
> > on my Firewall. But I don't want to open SSH for all IPs,
> > Is it possible that iptables always looks up the ip address from the
> > hostname, so that only the ip has access which is registrated under
> > the dyndns?
> >
> >
> 
> Hi
> 
> This may be a ridiculous suggestion.
> 
> How about basing it on MAC address.
> 
> Stupid I know.
> 
> Buts all I could think off.
> 
> Brent Clark
> 
> 

I'm not too sure either, but I do know that iptables resolve the names
the moment the rule is added, not again. Unless you run the rule every
minute to make sure it's updated constantly.

Can't you setup SSHD to only allow connections from certain hosts?
Then again sshd might use the reverse lookup of the ip, which isn't
always the dyndns name...

Will you let us know how you achieve this?


-- 

Kenneth Kalmer
kenneth.kalmer@gmail.com
http://opensourcery.blogspot.com