How probably not to secure SSH

A past me apparently thought this was a good idea.
I think it was a minor modification on inherited shitshow.
This is only here for reference. Probably don’t try it at home.

It assumes you already have some kind of dynamic IP/DDNS thing set up.

Git history puts this around 8 years ago


You should probably read this page instead.


Dynamic host SSH access

If your remote IP address changes between connections, the first attempt at reconnecting will fail and then spawn the below script to update allowed addresses. Any subsequent connections should connect OK, provided that the DNS entries are updated and old records are not cached by the system you’re trying to access.

The script

I have this script saved as /root/util/update_ssh_hosts_list.sh. Ensure it is executable.

#!/bin/bash
HOSTS_LIST_FILE='/etc/hosts.allow.sshd'

# Truncate the current list of allowed IPs
> $HOSTS_LIST_FILE

for i in $*; do
# Get IP of all args passed
  dig +short $i >> $HOSTS_LIST_FILE
done

Add this to /etc/hosts.allow

sshd: /etc/hosts.allow.sshd

And finally, to /etc/hosts.deny

sshd: ALL : spawn (/root/util/update_ssh_hosts_list.sh hostname.example.com host2.example.org)

(Ensure that it is above any ALL: ALL or ALL: PARANOID lines)


Ok, so


Tags: #linux
Categories: Tech

‹ Previous Post