Re: /etc/hosts.allow ssh : all

["Pete Peterson" <petersonp genrad com>]

> From: Jerry Winegarden <jbw duke edu>
> To: <redhat-list redhat com>
> Subject: Re: /etc/hosts.allow  ssh : all
> Reply-To: redhat-list redhat com
> 
> There is one possibility these days:  use a dynamic DNS registration
> service (e.g. dyndns.org) to register your own machine's DNS name
> (e.g. myownmachine.dyndns.org) with your new IP number each time you
> get a new one by redialing and connecting to the Internet.  Then, you
> could add  myownmachine.dns.org to hosts.allow.  To use such a service,
> you have to re-register your new IP with your dynamic DNS service
> provider.  This can be automated by using a client program available from
> the dynamic DNS service provider.  There are several out there.
> I personally have tried dyndns.org  (http://www.dyndns.org).
> 

Have you actually TRIED putting those dynamic DNS names in hosts.allow
and had it work?  It certainly did NOT work when I last tried it --
probably a couple years ago.  It appears that tcp-wrappers does a
reverse lookup on the IP address, finds your canonical address
qrzf23856392368XXZZQQ.yourconnectivityprovider.com, can't match that
against anything in hosts.allow and denies access.  It appears that it
DOES NOT do a forward lookup of everything mentioned in hosts.allow
and try to match against the connecting IP.

I get around this by having a web-accessible tool that requests a
name/password and temporarily adds the IP from which I'm connecting
to hosts.allow.  A cleanup routine expires these entries so they
don't accumulate.   By default, I don't allow anything but SMTP
and web access from other than trusted static IPs/domains.

      pete peterson