ConfigServer firewall enable SSH for dynamic dns

rolinger

2/16/24, 11:32 AM

I am running ConfigServer Firewall on my server. Currently I have a few dynamic dns entries added to the LFD Dynamic DNS section. Those dyn dns hosts though cannot SSH to the server - I can only get those hosts SSH access if I added their (ever changing) IPs to the Firewall Allow IPs section. But that pretty much defeats the purpose of dyn dns if I am having to constantly add their changing IPs to a permit list.

The permitted dynIP hosts though can access the server WHM/cPanel via web gui; they just can't SSH.

To get around this, in the Firewall Allow IPs section I am forced to add the entire /24 their new IPs are coming from because I have found that if the user renews their IP they are typically coming from the same IP segment, which helps reduce the amount of dynIP entries I have to add to the permit list - but I am seeing it changing to all new subnets more often these days.

tcp|in|d=522|s=192.200.103.0/24 # SSH port for John Smith's dynIP (01/01/23)

What and where do I need to add their dyn dns entries so they can also SSH? Is this even possible?

112

1 + 0

linux

firewall

ssh

Score:1

Server

Salim Aljayousi

2/16/24, 12:03 PM

you can create a custom allow rule for SSH traffic that uses the dynamic DNS hostnames instead of IP addresses. You can add this rule to the "csf.allow" file on your server.

tcp|in|d=22|s=/path/to/dynamic-dns-hostnames.txt

Inside the "dynamic-dns-hostnames.txt" file, you can add one hostname per line, like this:

hostname1.example.com
hostname2.example.com

Make sure to use the actual hostnames that you're using for dynamic DNS. You can add or remove hostnames from this file as needed, and you won't need to update the firewall rule itself.

+ 3

rolinger

2/16/24, 2:08 PM

Wow...thanks Salim! I had no idea the `s=` could be a path to a file. Could the `dynamic-dns-hostnames.txt` file simply point to CSF's own `csf.dyndns` file....or does it need to be its own unique file?

Salim Aljayousi

2/17/24, 9:32 AM

In your case, it is possible to use the csf.dyndns file directly in your custom rule by using the file: prefix. e.g: tcp|in|d=22|s=file:/etc/csf/csf.dyndns

rolinger

2/17/24, 12:44 PM

Great to know. I decided to use a custom file though - because then that gives me the ability to have two different types of user access: WHM/GUI access and separately SSH access. 99% of the time they would be the same, but I can see future scenarios where I might need to permit one versus the other. Thanks again.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: ConfigServer firewall enable SSH for dynamic dns

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.