How probably not to secure SSH
A past me apparently thought this was a good idea.
I think it was a minor modification on inherited shitshow.
This is only here for reference. Probably don’t try it at home.
It assumes you already have some kind of dynamic IP/DDNS thing set up.
Git history puts this around 8 years ago
You should probably read this page instead.
Dynamic host SSH access
If your remote IP address changes between connections, the first attempt at reconnecting will fail and then spawn the below script to update allowed addresses. Any subsequent connections should connect OK, provided that the DNS entries are updated and old records are not cached by the system you’re trying to access.
I have this script saved as
/root/util/update_ssh_hosts_list.sh. Ensure it is executable.
#!/bin/bash HOSTS_LIST_FILE='/etc/hosts.allow.sshd' # Truncate the current list of allowed IPs > $HOSTS_LIST_FILE for i in $*; do # Get IP of all args passed dig +short $i >> $HOSTS_LIST_FILE done
Add this to /etc/hosts.allow
And finally, to /etc/hosts.deny
sshd: ALL : spawn (/root/util/update_ssh_hosts_list.sh hostname.example.com host2.example.org)
(Ensure that it is above any
ALL: ALL or
ALL: PARANOID lines)
- This is basically a hack
- This doesn’t implement any mechanism to remove any stale lookups
- Could result in a fartload of DNS traffic if you have bots trying to h4cxx your ssh server (you probably do)
- There’s likely fifty’leven better ways to do this