# iptables allow ssh only from trusted dynamic ip

## poncio

Hi, 

I'm trying to allow ssh through my gentoo firewal but only from a trusted, dynamic IP address. (Got tired of endless logs of ssh failed login attempts. What kind of moron would test passwords for user "test" for three hours?  :Mad: ). I am using ddclient so one of my rules looks something like this:

```

$IPTABLES -A allow-ssh-traffic-in -s ! trusted.dyndns.org -p tcp --dport ssh -j DROP

```

ddclient is updating the ip address fine but ssh stops working when the ip changes.

The reason is that the saved iptables rules do not save "trusted.dyndns.org" but my isp dns assigment, i.e.:

```

iptables -L

.

.

DROP       tcp  -- !abc123.us.client.myisp.com  anywhere            tcp dpt:ssh

```

Of course, when my ip changes so does the dns assigment (now abc456.us.client.myisp.com) and there goes my ssh access.

Any ideas (other than a cron script to update the rule every now and then)?

Thanks

----------

## Casper Gasper

As an alternative...

  I keep posting this suggestion, but try running ssh on a different port.  Put it on port 50,000 or something and you'll see the number of invalid login attempts drop to zero.

----------

## pharaoh

A sloppy but quick way would be to setup one of those free dynamic IP DNS services (I use no-ip.com for this) and then only allow access to that using /etc/hosts.allow:

```
sshd: yourname.no-ip.info
```

Your /etc/hosts.deny should then be

```
sshd:ALL
```

I apologize if you already knew how to setup those files, thought I'd include them anyway just in case.  But that no-ip.com DNS pointer is free, and I do believe there's many other free ones (although this one is in portage).

----------

## res0nat0r

i have a similar but off topic problem with my dyndns update program.

i am using dhclient to update my up address automatically upon bootup.

this worked fine until i put my box behind a firewall, now dhclient just updates my dyndns.org hostname to 192.168.1.100 since that is the current ip of my natted box. is there any way to get my modems ip address and pass that back to the updater script? how to i get the ip of my modem without going to whatismyipaddress.com or some cheezy manual solution like that? is there any software/command line way to do this automatically?

thanks.

----------

## poncio

Thanks for the help.

- Regarding changing ssh to a "non standard" port, I will give it a try if I cannot find a solution to the problem.

- Regarding using hosts.alllow/deny, these are part of tcp wrappers / xinted which I rather not use but I appreciate the pointer anyway.

res0nat0r:

I am not really sure if I understand completely your post, so I apologize beforehand for my assumptions. I think might be confusing dhclient with ddclient. Setting up ddclient is really easy and there are some post in this forums regarding this subject.

----------

## pharaoh

Ah sorry, my newbness strikes again!!  Maybe just use the dynamic IP service and add that domain name into iptables?

----------

## res0nat0r

this might clear it up:

previous working configuration:

```

home_pc ---->internet

home_pc ip: 1.2.3.4

```

upon bootup i would run a script in portage to go tell the dyndns servers to update my account with my new ip address. this work work fine. it would grab my ip address of eth0 which is directly connected to my modem and tell myhostname.dyndns.org to be associated with 1.2.3.4

my new configuration looks like:

```

home_pc---->router----internet

home_pc ip:192.168.1.100

```

so now when the script runs on bootup and grabs my eth0 address, it spits out my 192 address, instead of my external facing address. now i cannot ssh to myhostname.dyndns.org from work because myhostname.dyndns.org is pointing to: 192.168.1.100 which is a private address.

does anyone know a way to grab your modems external facing ip address from the command line? or do you have to goto a website like whatismyipaddress.com or ssh to another location and see where you are connecting from. this seems very cheezy and there has to be an automated way to see what your wan connection ip address is w/o having to rely on a web interface to do it.

thanks!

----------

## poncio

Thanks for clarifying. (Although I still do not understand "run the script in portage")

I agree that there must be a more elegant way to to update the your IP address but I do not know it.  :Sad:  (ddclient and anything I can suggest works in what you might consider cheesy).

If I find a way, I will post back.

----------

## Casper Gasper

If you don't want to shift the service to a non-priveleged port, why not use port knocking?  http://www.portknocking.org/

----------

