dyndns and the last hop - trying to set up ssh access to amachine on my LAN

Sat Nov 25 12:50:03 UTC 2006

From: "Gene Heskett" <gene.heskett at verizon.net>

> On Saturday 25 November 2006 02:38, Claude Jones wrote:
>>My scenario:
>>I'm on Verizon DSL using a Westell DSL modem which is configured in
>> 'bridge' mode
>>Behind that is a Linksys WRT54G which is getting a dynamically assigned
>> IP address from Verizon
>>Behind the Linksys is my home LAN
>>
>>I want to have ssh access to my Linux box from the outside
>>
>>I went to dyndns and set up an account, and that seems to be working
>>If I ping the address I gave myself, it resolves to the correct IP
>> address which is the dynamic IP assigned to my Linksys router. I
>> discovered the ddns feature in the Linksys configuration and set that
>> up - it successfully contacted dyndns and dynamically updated my
>> correct IP address.
>>
>>Now, I'm stuck. How to get that last hop from my Linksys to my machine
>> inside?
>>
>>Presumably, there's some setting in the Linksys to allow SSH, and then,
>> I have to somehow route requests for SSH to my local machine. Can
>> someone help me on this? I noticed  when setting up my host in dyndns
>> that there was a wildcard setting, so I could set up a host, say
>> 'claudejones.dyndns.org' and then, if wildcars were allowed, then
>> 'computer1.claudejones.dns.org' could be resolved. Is this part of the
>> puzzle? Do I use my computer name in front of the host name I set up,
>> and allow wildcards in the dyndns configuration? Or is this all wrong?
> 
> See your linksys menu for port forwarding Claude, it s/b self explanatory 
> from there.  I'd also see how long it takes john the ripper to find your 
> passwords.  Make them difficult just for peace of mind.  However I have 
> no experience with dyndns so I won't advise on that.

Several thousand millennia good enough for you?

$IPTABLES -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set
$IPTABLES -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \
  --rcheck --seconds 180 --hitcount 2 -j LOG --log-prefix 'SSH REJECT: '
$IPTABLES -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \
  --rcheck --seconds 180 --hitcount 2 -j REJECT --reject-with tcp-reset

Adapt it to your own firewall script for the machine receiving the
port 22 attacks. They get ONE chance every three minutes. A simple
eight character password is at least 64^8th possible passwords, if
you use eight characters. Figure it's a bit weak and only lower case
alphanumerics. That's still more than 10^12th possible passwords.
Suppose they get it in the first tenth of all tries. That's still
3 times 10^11th seconds, or over 9.5 millennia of guessing. They can
cut it down a little by using a large number of sites to attack
simultaneously. But that still leaves it at over a century to find
your password. Use that trick, relax, then go find your next
security hole.

{^_^}