0

I wish to BLOCK all sshd connection BUT one dynamic IP assigned to a <subdomain>.ddns.net so I've put this in /etc/hosts.deny:

sshd: ALL EXCEPT <subdomain>.ddns.net

This does not allow me to connect to SSH.
Instead, if I place the IP resolved (a dig <subdomain>.ddns.net confirms it) by that hostname, it works:

sshd: ALL EXCEPT <ipv4.resolved.by.hostname>

I've also tried with UseDNS yes or no in sshd_config, but it changes nothing.

Firewall (UFW) is open by the rule ufw limit ssh

My actual /etc/ssh/sshd_config here below:

Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
KexAlgorithms curve25519-sha256@libssh.org
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
PermitRootLogin no
AllowUsers remotessh
IgnoreRhosts yes
PasswordAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
UsePAM yes
X11Forwarding no
PrintMotd no
PubkeyAuthentication yes
AllowTcpForwarding no
AllowStreamLocalForwarding no
GatewayPorts no
PermitTunnel no
UseDNS no

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

# override default of no subsystems
Subsystem       sftp    /usr/lib/openssh/sftp-server
kenlukas
  • 2,886
  • 2
  • 14
  • 25
CrazyRabbit
  • 119
  • 1
  • 7

3 Answers3

1

The problem is most likely due to the fact that the ip address that you are connecting from reverses to xxx.yourisp.com, not subdomain.ddns.net.

When you attempt to connect to sshd from your (dynamic) ip address, tcpwrappers does a reverse dns lookup on your ip address. If this resolves to xxx.yourisp.com, then it won't find the match in hosts.allow or (hosts.deny as it may), and therefore it won't allow the connection to sshd from your ip.

As a workaround, you might want to consider adding subdomain.ddns.net to your /etc/hosts file, and create a cron job that runs every few minutes and updates this entry with your dynamic ip address whenever it changes. It's not a very elegant solution, but it's the best I could come up with when I recently faced this problem myself. If anyone knows of a cleaner solution, please comment.

mti2935
  • 126
  • 2
0

You'll use both /etc/hosts.allow and /etc/hosts.deny to accomplish that. At /etc/hosts.allow, put the following:

sshd: blablabla.ddns.net

At /etc/hosts.deny, insert the following content:

sshd: ALL

It will work because /etc/hosts.allow overlaps /etc/hosts.deny. But there's a catch: if your server is behind a hairpin NAT (some also call it a NAT reflection), some connections will appear with your gateway's internal IP address to your server, so it might be hard to block.

Another option is to use iptables, like that:

iptables -t filter -A INPUT -s blablabla.ddns.net -p tcp --dport 22 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport -j DROP

Just be aware that iptables takes in account the order of its rules.

Good luck.

Stefano Martins
  • 1,131
  • 7
  • 10
  • As i can understand, there is no difference between your method (use both hosts.allow and hosts.deny) and mine, using only hosts.deny with ALL EXCEPT). I've tried it and i got the same behavior I've described (IP is OK, not HOSTNAME), so this is not working either. – CrazyRabbit Jan 31 '20 at 17:41
0

I am using a script to make a domain list to an ip list and include it to hosts.allow

The description is here:

https://serverfault.com/a/1105670/974219