Linux Hosts.allow only allow ADSL dynamic IP login

"Scene" Companies using ADSL dial-up internet access, that is, the Internet access is dynamic IP.

Server security Policy upgrade, only allow access to servers within the company.

Implementation process:

The server specifies a fixed IP can access the server, in fact, it is easy, generally the following three methods:

Method One: Add the IP or network segment that allows SSH login in/etc/hosts.allow sshd:192.168.1.2:allow or Sshd:192.168.1.0/24:allow in/etc/   Hosts.deny add not allow SSH login Ipsshd:all #ALL表示除了上面允许的, the other IP are denied login ssh method two: Use Iptables. Iptables-a input-p tcp-s 192.168.1.2--destination-port 22-j ACCEPT iptables-a input-p TCP--destination-port 22-j DROP Method Three: Modify the SSH configuration file vi/etc/ssh/sshd_config add one line: allowusers [email protected] Note: XXX is the username you use to log in to the server.

I realized by method one, restrict ADSL dynamic IP to log in,

The method is simple: through the peanut shell or to the Kmdns register account, this will get a domain name, we login this account in the company intranet,

It is possible to resolve the IP on the server.

I use the Tplink router itself to support dynamic Domain name account login, OK, take it directly.

The server is implemented with scripting

Configure the Hosts.allow file first, as configured in the following format

Sshd:13.18.4.36:allow

[Email protected]:/var/scripts# vi /etc/hosts.allow # /etc/hosts.allow: list  of hosts that are allowed to access the system.#                    see  the manual pages hosts_access (5)  and hosts_options (5) .## Example:     ALL: LOCAL  @some_netgroup #              all: .foobar.edu except terminalserver.foobar.edu## if you ' re  going to protect the portmapper use the name  "Portmap"  for  the# daemon name. Remember that you can only use the  keyword  "All"  and IP# addresses  (not host or domain names)   For the portmapper, as well as for# rpc.mountd  (The nfs mount daemon) . See  Portmap (8)  and rpc.mountd (8) # for further information. #sshd: 13.18.4.36:allow

Write to get the dynamic domain name IP and replace the content script in the Allow file,

Dig +short Direct resolution domain name Get IP is very simple

[Email protected]:/var/scripts# VI getip.sh #!/bin/bash# resolution get myku.kmdns.net Dynamic Domain name ipgetip= ' dig +short myku.kmdns.net ' # Get the original allow file in the ipoldip= ' Cat/etc/hosts.allow|grep sshd |awk-f ': ' {print $} ' |head-n1 ' if [$getip! = $oldip] Then s Ed-i "s/$oldip/$getip/g"/etc/hosts.allow else exitfi[email protected]:/var/scripts# chmod 777getip.sh

Then add it to the automated task and detect it every minute.

#allow myku IP to login SERVER*/1 * * * */var/scripts/getip.sh >/dev/null 2>&1

In this way, the Hosts.allow only allows ADSL dynamic IP login function.

Similarly, we can also use another two methods, here is not much to say.

This article is from the "xiangcun168" blog, make sure to keep this source http://xiangcun168.blog.51cto.com/4788340/1699269

Linux Hosts.allow only allow ADSL dynamic IP login