[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Provide SSH to someone w/ dynamic IP address {Scanned}



On Sat, 4 Sep 2004, SW wrote:

> Hi Mike,
> 
> > Comcast does, indeed, have a rather wide IP addresses, true, but your
> > friend is only going to get an address in a small subnet
> 
> I wish that was the case...I've been manually updating my firewall whenever
> his ip address changes and they are not even close let alone in the same ip
> subnet:
> 
> 64.12.116.x
> 68.49.152.x
> 68.49.155.x
> 68.49.156.x
> 68.49.157.x
> 152.163.252.x
> 
> I'm willing to open up my box to a subnet xxx.xxx.xxx.0 but so far the range
> of ip addresses he is getting is so large, it will defeat the purpose to
> blocking ssh because I would have to open up to so many ranges. Is there any
> solution?

Well, for now, you might be able to get away with a /24 (255.255.255.0) 
for the 64.12 IP and the 152.163 IP.

For the other range, you could specify:

68.49.152.0/21 (or 68.49.152.0/255.255.248.0, if your router can't handle 
CIDR notations).

As to other options, I saw someone mention opening up an alternate port, 
and having them SSH to that.

Another possibility is to restrict the authentication methods...preferably 
to key based authentication.  That way, you turn off keymode/password 
authentication, the only way to authenticate is to have a valid key.  The 
key isn't based on IP address, and anyone without a valid user account and 
key won't get in.

-- 
Mike Burger
http://www.bubbanfriends.org

Visit the Dog Pound II BBS
telnet://dogpound2.citadel.org or http://dogpound2.citadel.org

To be notified of updates to the web site, visit 
http://www.bubbanfriends.org/mailman/listinfo/site-update, or send a 
message to:

site-update-request bubbanfriends org

with a message of: 

subscribe



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]