[TAG] Need some help to check a script for unexpected security issues

Suramya Tomar security at suramya.com
Fri Jun 16 02:35:10 MSD 2006 

Hi Everyone,
  Couldn't think of a better title than that, so if it didn't make sense 
I blame the lack of caffeine.

This is a script that I wrote so I can give ssh access to my server to a 
friends computer whose IP address keeps changing everyday without any 
manual intervention on my side. I have been thinking about this for a 
while and this seemed like the easiest solution with the least work on 
my side. Plus it was an interesting challenge for me to get this to work :)

[Some of you might remember that I had asked a question about this topic 
a while back. I switched ISP's so my IP address doesn't change that 
often anymore but my friend is stuck with my old ISP and wanted to get 
access to my system. The result is this script.]

Now its working but since I would have to run this as root for it to 
work I wanted to share it with you so that if it has some security 
implications I haven't thought of then I can fix it before I start using 
it...

I had my friend create a DynDns account and had him configure his system 
to keep the IP address updated using one of their update clients.

On the server side I use the host command to get the latest IP address 
for his hostname and then give that IP address access to my system. 
Below is the script I made, if you see something wrong/unsafe let me 
know and I will try to fix it:

------------- Start get_ip.sh ---------------
#!/bin/bash

IP=`host blah.dyndns.com`

# This reads in the OLD IP address he had
read OLD < OLD_IP.dat

# Get the current IP address
if [[ $IP =~ '(.*)has address (.*)' ]]
then
   if [ "$OLD" != "${BASH_REMATCH[2]}" ]# Didn't match so the IP changed
    then

# So We log the current date/time and the new IP to a file

      echo `date` ": Removing access for" $OLD "and giving access to" 
${BASH_REMATCH[2]} >> access_log.log

# Set the Static firewall rules

      Result=`/home/suramya/bin/S41firewall`

# Create a new rule to allow the current IP address access

      Result1=`iptables -A INPUT -s ${BASH_REMATCH[2]} -p tcp -m tcp 
--dport 22 -j ACCEPT`

# Drop all other connections to port 22

      `iptables -A INPUT -p tcp --dport 22 -j DROP`

# Replace the old IP address with the new one

      echo ${BASH_REMATCH[2]} > OLD_IP.dat
    fi
fi

---------------- End get_ip.sh --------------

Any comments/feedback on this would be appreciated.

Thanks,
  Suramya

PS: If this looks ok and doesn't cause a major security hole I will 
release this under the GPL, and if you feel its worth it/fits then you 
can include it in LG.

-- 
-------------------------------------------------
Name : Suramya Tomar
Homepage URL: http://www.suramya.com
-------------------------------------------------

************************************************************
Disclaimer:
Any errors in spelling, tact, or fact are transmission errors.
************************************************************

More information about the TAG mailing list