Nov 06, '03 10:37:00AM • Contributed by: tinker
Your only option will be to allow access from all IP addresses, and use username/password authentication to allow access to the system. You will be unable to do what you are trying to do without a real static IP address from your ISP.I couldn't imagine that this was really my only option, so I did a bit of fiddling around, and I came up with a solution that seems to work.
First, create a file called /etc/hostupdate that contains the following code:
HOSTNAMEA="yourfirsthost"<br>
HOSTNAMEB="yoursecondhost"<br>
DOMAIN="noip.net"<br>
NSIPA=`nslookup $HOSTNAMEA.$DOMAIN | grep -A 1 $HOSTNAMEA.$DOMAIN | awk '/Address:/ { print $2 }'`<br>
NSIPB=`nslookup $HOSTNAMEB.$DOMAIN | grep -A 1 $HOSTNAMEB.$DOMAIN | awk '/Address:/ { print $2 }'`<br>
echo -n "# hosts.allow file, updated " > /etc/hosts.allow<br>
date >> /etc/hosts.allow<br>
echo "ALL: 127.0.0.1" >> /etc/hosts.allow<br>
echo "ALL: localhost" >> /etc/hosts.allow<br>
echo "ALL: "$NSIPA >> /etc/hosts.allow<br>
echo "ALL: "$NSIPB >> /etc/hosts.allow<br>
Replace yourfirsthost, yoursecondhost, and noip.net with whatever's appropriate for your setup, and add any other hosts that you keep in hosts.allow, using the same syntax as the last four lines. Note that this will NOT retain hosts added by other programs. Once you've saved the file, source it to create your hosts.allow file. Then just create a hosts.deny file that looks like this:
ALL:ALL: spawn (/bin/sh < /etc/hostupdate) &<br><br>
You can jazz this up with other commands as well; for example, if you've set up njnystrom's Perl script that lets you use Mail.app as if it were mail, you could do:
ALL:ALL: spawn (echo Attempt from %h %a to %d at `date`|tee -a /var/log
tcp.deny.log|/bin/mail -F root@yourhost.noip.net -s "Security Alert!"
you@your.email.com; /bin/sh < /etc/hostupdate) &
Note that this must all be on one line, and there must be a carriage return at the end.
Once this is set up, you can access your machine quite easily. Try ssh'ing (or ftp'ing or whatever) to the machine. If your IP hasn't changed, you're in. If your IP has changed, though, your first attempt will trigger the hostupdate script, which will put your new IP into hosts.allow -- so you can access it on the second try.
This being a good idea, of course, depends on nslookup being impossible to fool. If someone knows your noip domain and knows that you're using this setup and knows some way to trick nslookup into returning his IP rather than yours, this would let him put himself into hosts.allow. That said, if such a person exists and knows all of these things and has it in for you, I suspect you've got bigger problems!
