Provide SSH to someone w/ dynamic IP address {Scanned}
Mike Burger
mburger at bubbanfriends.org
Sat Sep 4 11:45:35 UTC 2004
On Sat, 4 Sep 2004, SW wrote:
> Hi Mike,
>
> > Comcast does, indeed, have a rather wide IP addresses, true, but your
> > friend is only going to get an address in a small subnet
>
> I wish that was the case...I've been manually updating my firewall whenever
> his ip address changes and they are not even close let alone in the same ip
> subnet:
>
> 64.12.116.x
> 68.49.152.x
> 68.49.155.x
> 68.49.156.x
> 68.49.157.x
> 152.163.252.x
>
> I'm willing to open up my box to a subnet xxx.xxx.xxx.0 but so far the range
> of ip addresses he is getting is so large, it will defeat the purpose to
> blocking ssh because I would have to open up to so many ranges. Is there any
> solution?
Well, for now, you might be able to get away with a /24 (255.255.255.0)
for the 64.12 IP and the 152.163 IP.
For the other range, you could specify:
68.49.152.0/21 (or 68.49.152.0/255.255.248.0, if your router can't handle
CIDR notations).
As to other options, I saw someone mention opening up an alternate port,
and having them SSH to that.
Another possibility is to restrict the authentication methods...preferably
to key based authentication. That way, you turn off keymode/password
authentication, the only way to authenticate is to have a valid key. The
key isn't based on IP address, and anyone without a valid user account and
key won't get in.
--
Mike Burger
http://www.bubbanfriends.org
Visit the Dog Pound II BBS
telnet://dogpound2.citadel.org or http://dogpound2.citadel.org
To be notified of updates to the web site, visit
http://www.bubbanfriends.org/mailman/listinfo/site-update, or send a
message to:
site-update-request at bubbanfriends.org
with a message of:
subscribe
More information about the redhat-list
mailing list