Re: [suse-security] Re: [suse-security-announce] SuSE Security Announcement: OpenSSH (SuSE-SA:2002:023)
Am Die, 2002-06-25 um 22.54 schrieb Michael Weinert:
Solution: Get yourself a static name for your dynamic IP.
Is that available from all providers? Martin
Sven 'Darkman' Michels schrieb:
Martin Wilck wrote:
Solution: Get yourself a static name for your dynamic IP.
Is that available from all providers? Martin
www.dyndns.org
If i restrict the access with iptables, does the kernel for every incoming request check, if it comes from the IP ? I thought, if you enter iptables rules with hostnames, the resolution from hostname to IP will only made once ?!? Torsten
* Torsten Mueller wrote on Wed, Jun 26, 2002 at 01:28 +0200:
Martin Wilck wrote:
Solution: Get yourself a static name for your dynamic IP.
This is not a solution.
Is that available from all providers? Martin
www.dyndns.org
This is about forward-lookups only (Name --> IP), not for reverse lookups.
If i restrict the access with iptables, does the kernel for every incoming request check, if it comes from the IP ?
Yes, from the *IP*. If you use names in config, they are resolved when setting up the rules (by ipchains or such).
I thought, if you enter iptables rules with hostnames, the resolution from hostname to IP will only made once ?!?
Yes. You could try tcp wrappers, this should work, but not with dns2go & friends, since if you see an incoming IP, you must resolve this to a name - and this is not provided by dns2go & friends. oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Am Mittwoch, 26. Juni 2002 09:43 schrieb Steffen Dettmer:
Solution: Get yourself a static name for your dynamic IP. This is not a solution. It works for me.
Is that available from all providers? Martin www.dyndns.org This is about forward-lookups only (Name --> IP), not for reverse lookups. This is right.
Ok, I will explain how this works here: I have made a iptables-script. The first rule of my EXT_CHAIN is a dummy entry to disallow ssh-Traffic. iptables -A EXT_CHAIN -i eth0 -p tcp -s 0.0.0.0/0 --dport 22 -j REJECT I also wrote a program wich will look for my 5 dns-names (www.dyndsl.com ...). It resolvs those 5 names to the IP and looks if at least 3 match. It will then delete the first rule of EXT_CHAIN: iptables -D EXT_CHAIN 1 After this it will insert as first rule my IP open for ssh: iptables -I input -s 1.2.3.4/32 -i eth0 -d 4.3.2.1/32 ssh:ssh -p tcp -j ACCEPT If it can't find my IP it will REJECT all Traffic on Port 22. I run this program all 30 Minutes. So this will only work acceptable if you have a flatrate which I have. If you don't have flat, you have to run the script more often. Still you have to wait a couple of minutes to get on the server. Hope everybody did understand my explanation. With this one doesn't have worry too much about those OpenSSH-Exploits. They really are getting pretty much lately. With nice regards, Michael. - -- Key fingerprint = 3D66 5A8F 53C0 3AD3 3470 74A6 64AC 55D1 8AFB B436 SysQuadrat Michael Weinert Stuttgart Filderstadt-Plattenhardt Tel.: 0711-9970288 Fax: 5360559 Mobil: 0170-4141273 http://www.linux-firewall.de weinert@sys2.de -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE9GXVhZKxV0Yr7tDYRAg9HAJ9ZpceHV9SOPPEDIDakok5rUd97/gCfaN/Y wgjCRq48rAIFsXaSBuTrcag= =TJEM -----END PGP SIGNATURE-----
* Michael Weinert wrote on Wed, Jun 26, 2002 at 10:03 +0200:
Solution: Get yourself a static name for your dynamic IP. This is not a solution. It works for me. [...] Ok, I will explain how this works here: I have made a iptables-script. [...] I also wrote a program [...]
Well, but it seems that you use non-standard software that is not available to the public... oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
>Solution: >Get yourself a static name for your dynamic IP. This is not a solution. It works for me. I also wrote a program Well, but it seems that you use non-standard software that is not available to the public... It is not yet available for the public. I will release it as soon as I can. At the moment the static names are hardcoded. I don't want to show everybody
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Am Mittwoch, 26. Juni 2002 10:28 schrieb Steffen Dettmer: those names ;-) Besides I'm old fashion and wrote this in pascal. It shouldn't be too hard to write this in a script for bash. If anyone is interested he can write me an email, so I know if it's worth releasing. With nice regards, Michael. - -- Key fingerprint = 3D66 5A8F 53C0 3AD3 3470 74A6 64AC 55D1 8AFB B436 SysQuadrat Michael Weinert Stuttgart Filderstadt-Plattenhardt Tel.: 0711-9970288 Fax: 5360559 Mobil: 0170-4141273 http://www.linux-firewall.de weinert@sys2.de -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD4DBQE9GX1UZKxV0Yr7tDYRAhQCAJjhsEj0+mjetwcgW2/tons49OHoAJ9qEKYW 3wnWI0ouYc0u8DaemlP6WA== =SJH3 -----END PGP SIGNATURE-----
participants (5)
-
Martin Wilck
-
Michael Weinert
-
Steffen Dettmer
-
Sven 'Darkman' Michels
-
Torsten Mueller