From: "Gene Heskett" <gene.heskett@xxxxxxxxxxx>
On Saturday 25 November 2006 02:38, Claude Jones wrote:
My scenario:
I'm on Verizon DSL using a Westell DSL modem which is configured in
'bridge' mode
Behind that is a Linksys WRT54G which is getting a dynamically assigned
IP address from Verizon
Behind the Linksys is my home LAN
I want to have ssh access to my Linux box from the outside
I went to dyndns and set up an account, and that seems to be working
If I ping the address I gave myself, it resolves to the correct IP
address which is the dynamic IP assigned to my Linksys router. I
discovered the ddns feature in the Linksys configuration and set that
up - it successfully contacted dyndns and dynamically updated my
correct IP address.
Now, I'm stuck. How to get that last hop from my Linksys to my machine
inside?
Presumably, there's some setting in the Linksys to allow SSH, and then,
I have to somehow route requests for SSH to my local machine. Can
someone help me on this? I noticed when setting up my host in dyndns
that there was a wildcard setting, so I could set up a host, say
'claudejones.dyndns.org' and then, if wildcars were allowed, then
'computer1.claudejones.dns.org' could be resolved. Is this part of the
puzzle? Do I use my computer name in front of the host name I set up,
and allow wildcards in the dyndns configuration? Or is this all wrong?
See your linksys menu for port forwarding Claude, it s/b self explanatory
from there. I'd also see how long it takes john the ripper to find your
passwords. Make them difficult just for peace of mind. However I have
no experience with dyndns so I won't advise on that.
Several thousand millennia good enough for you?
$IPTABLES -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set
$IPTABLES -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \
--rcheck --seconds 180 --hitcount 2 -j LOG --log-prefix 'SSH REJECT: '
$IPTABLES -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \
--rcheck --seconds 180 --hitcount 2 -j REJECT --reject-with tcp-reset
Adapt it to your own firewall script for the machine receiving the
port 22 attacks. They get ONE chance every three minutes. A simple
eight character password is at least 64^8th possible passwords, if
you use eight characters. Figure it's a bit weak and only lower case
alphanumerics. That's still more than 10^12th possible passwords.
Suppose they get it in the first tenth of all tries. That's still
3 times 10^11th seconds, or over 9.5 millennia of guessing. They can
cut it down a little by using a large number of sites to attack
simultaneously. But that still leaves it at over a century to find
your password. Use that trick, relax, then go find your next
security hole.
{^_^}