ping my host, get ICMP address and open hosts.allow in a script

Question

The following situation: I'm running a server in the internet. The server is closed on port 22 for anyone despite an exception rule in hosts.allow.

Since when being at home and connected through my provider I always have a different IP address. What I'm doing then, is to log into my server through the browser console, and run tcpdump ip proto ICMP, take the hostname out of the tcpdump output and edit /etc/hosts.allow, run service ssh restart and after that I'm able to log into my server via ssh (putty).

This works as long as my provider doesn't change my IP (which most of the times happens over night).

Now, what I'm looking for is to automate this process. Problem is, I have to tell my server that it's me who is pinging. So I either ping in a secret pattern or authenify myself by some other means. I also thought about clicking an a (ssl secured) link on my website and let some webservice do the required steps to open the server for the client I'm sitting at.

Answer 1

You might be happy using Single Packet Authentication. It is an evolution of the port knocking method and the basic idea is the same as you describe: you send a single packet with an encrypted payload on a specific port of your firewalled machine, and the packet gets dropped by the firewall. But, behind the scenes, if the challenge in the payload succeeds, a rule is added in the iptables to open port 22 to the sender of the payload. Then you can ssh to the server.

For convenience, you can redefine a ssh Bash function that first uses Fwknop to open the door in the firewall then runs ssh, passing the arguments. It works pretty well.

Fwknop also has an Android app that allows you sending the encrypted payload from your phone and open the firewall for a specific IP address. You can use this when you are connecting from another machine than usual.