Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Enable remote access with TCP wrappers from dynamic IPs UNIX
I have three computers with dynamic IP addresses, and I use no-ip.com (highly recommended!) to give them pseudo-static addresses. The problem is, TCP wrappers won't recognize no-ip addresses, so I can't just stick myhost.noip.net into hosts.allow to give myself remote access to my other machines. No-ip's tech support confirmed that this can't be done:
Your only option will be to allow access from all IP addresses, and use username/password authentication to allow access to the system. You will be unable to do what you are trying to do without a real static IP address from your ISP.
I couldn't imagine that this was really my only option, so I did a bit of fiddling around, and I came up with a solution that seems to work.

First, create a file called /etc/hostupdate that contains the following code:

HOSTNAMEA="yourfirsthost"<br>
HOSTNAMEB="yoursecondhost"<br>
DOMAIN="noip.net"<br>
NSIPA=`nslookup $HOSTNAMEA.$DOMAIN | grep -A 1 $HOSTNAMEA.$DOMAIN | awk '/Address:/ { print $2 }'`<br>
NSIPB=`nslookup $HOSTNAMEB.$DOMAIN | grep -A 1 $HOSTNAMEB.$DOMAIN | awk '/Address:/ { print $2 }'`<br>
echo -n "# hosts.allow file, updated " > /etc/hosts.allow<br>
date >> /etc/hosts.allow<br>
echo "ALL: 127.0.0.1" >> /etc/hosts.allow<br>
echo "ALL: localhost" >> /etc/hosts.allow<br>
echo "ALL: "$NSIPA >> /etc/hosts.allow<br>
echo "ALL: "$NSIPB >> /etc/hosts.allow<br>
Replace yourfirsthost, yoursecondhost, and noip.net with whatever's appropriate for your setup, and add any other hosts that you keep in hosts.allow, using the same syntax as the last four lines. Note that this will NOT retain hosts added by other programs. Once you've saved the file, source it to create your hosts.allow file. Then just create a hosts.deny file that looks like this:

ALL:ALL: spawn (/bin/sh < /etc/hostupdate) &<br><br>
You can jazz this up with other commands as well; for example, if you've set up njnystrom's Perl script that lets you use Mail.app as if it were mail, you could do:

ALL:ALL: spawn (echo Attempt from %h %a to %d at `date`|tee -a /var/log
 tcp.deny.log|/bin/mail -F root@yourhost.noip.net -s "Security Alert!"
 you@your.email.com; /bin/sh < /etc/hostupdate) &
Note that this must all be on one line, and there must be a carriage return at the end.

Once this is set up, you can access your machine quite easily. Try ssh'ing (or ftp'ing or whatever) to the machine. If your IP hasn't changed, you're in. If your IP has changed, though, your first attempt will trigger the hostupdate script, which will put your new IP into hosts.allow -- so you can access it on the second try.

This being a good idea, of course, depends on nslookup being impossible to fool. If someone knows your noip domain and knows that you're using this setup and knows some way to trick nslookup into returning his IP rather than yours, this would let him put himself into hosts.allow. That said, if such a person exists and knows all of these things and has it in for you, I suspect you've got bigger problems!
    •    
  • Currently 3.00 / 5
  • 1
  • 2
  • 3
  • 4
  • 5
  (2 votes cast)
 
[9,646 views]  

Enable remote access with TCP wrappers from dynamic IPs | 3 comments | Create New Account
Click here to return to the 'Enable remote access with TCP wrappers from dynamic IPs' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Aack!! -- Enable remote access with TCP wrappers from dynamic IPs
Authored by: tinker on Nov 06, '03 05:11:03PM

How did those <br>s get in there? They didn't show up in the preview.... Anyway, if copying and pasting, please remove <br>s... sorry about that....



[ Reply to This | # ]
Enable remote access with TCP wrappers from dynamic IPs
Authored by: uochris on Nov 07, '03 11:57:07PM

Could you use xinetd to allow/deny based on domain names instead of using this code? Would doing this with xinetd be easier?



[ Reply to This | # ]
Enable remote access with TCP wrappers from dynamic IPs
Authored by: tinker on Nov 09, '03 02:52:54AM

I wondered that too. I suspect the issue would be similar, though, because hosts.allow and hosts.deny are accessed by inetd, and inetd does three things: it gets the IP of the incoming host (say, 123.456.78.90), resolves it (say, 78-90.yourISP.com), and then checks to see whether either 123.456.78.90 or 78-90.yourISP.com is in hosts.allow. If you use no-IP, you're given a "fake" domain (say, foo.noip.net) which always resolves to your current IP, which is great, but when inetd checks hosts.allow, it doesn't translate foo.noip.net into 123.456.78.90 before comparing it to the incoming host. So, it compares the first two addresses to the third, finds no match, and rejects. That's why putting foo.noip.net into hosts.allow won't work but looking it up with nslookup and *then* putting it in hosts.allow will.

All of which is a long-winded way of saying, if xinetd always resolves the domains in its no_access rules before comparing to incoming IPs, it would work -- but I don't know whether it does.



[ Reply to This | # ]