Michael Klinosky wrote:
I use ssh (on my own machines, personal use). My primary box (for ssh,
it's the my daemon) is on dsl. The only machine that I log in from
(client?) is on the same ISP, and is on a dial-up line.
I'd like to allow only those IPs that I might dynamically get. How would
this be accomplished? I checked my secure log file (on the daemon
box), and have examples of IPs that I was assigned. Nota bene: It
seems like only the first and second parts are consistant. So, how can
I specify a range thus: 200.100.x.x ? Would I use a zero, or 'x', or ...?
I know this isn't the most efficient method (using non-standard port
numbers and public/private key authentication can do more), but it is an
interesting exercise in networking:
If you would be able to tell us which ISP you have, you may be able to
narrow down the address range even more. ISPs are given blocks of IP
addresses to give out, and depending on your ISP, we may be able to
calculate a subnet mask which will give you a smaller range of addresses
to allow than the current 200.100.0.0/16 (which allows 65536 possible
addresses). For example, I can narrow down my ISPs address block to a
19 bit mask (255.255.224.0 in network mask notation). That leaves on
8192 possible addresses (an 87.5% reduction), and that's using only the
information available from arin.net. If you could figure out the range
of their dynamic IPs, you could reduce the possible range even more
(because there's going to be a block reserved for static IP clients).
You can then restrict the incoming ssh attempts using a simple line in
iptables. It may look something like this (assuming you drop packets
which haven't been specifically allowed):
iptables -A INPUT -p tcp --dport 22 -s 200.100.64.0/19 -m state --state
NEW, ESTABLISHED,RELATED -j ACCEPT
Justin W
