Search

ddclient: getting access to home servers despite having a dynamic IP

September 28th, 2008 edited by Tincho

Article submitted by Toni Zimmer.

There will be a day when you need access to your Debian box from another place than home, for example to get files from your home server with scp or if you’re running a webserver, an irc proxy, a ftp server, a mail server…

Most likely your ISP gives you a dynamic IP address. This problem can be solved by getting a static DNS name, so you can connect to your home even if your IP keeps changing. First of all you have to create an account with your favourite dyndns provider. I use dyndns.org but there are others, such as easydns.com, dslreports.com or zoneedit.com. You can use others if you know ddclient supports its protocol.

There you can specify the hostname (combined with a domain name) for your computer. You can enable mail routing if you want to setup a home mail server.

When you install ddclient you will be asked for the dyndns service provider where you created your account. After that you must enter the complete (or fully qualified) domain name of your computer (something like dpotd.gotdns.org) and your account name (including the password, which will be stored in plaintext in /etc/ddclient.conf!). Now you have to chose the interface that connects you to internet. ddclient will get your IP address from there, so you shouldn’t be behind a NAT. Afterwards you will be asked if you want to start ddclient when connecting with PPP and if you want ddclient to run on system startup or not (probably you will use the first or the second choice). If you choose to run ddclient on startup, you can enter a delay between address checks (default are five minutes, so every five minutes your system will tell your current IP address to your dyndns service provider).

Your settings are stored in /etc/ddclient.conf and look like this:

# Configuration file for ddclient generated by debconf
#
# /etc/ddclient.conf

pid=/var/run/ddclient.pid
protocol=dyndns2
use=if, if=eth0
server=members.dyndns.org
login=dyndnsloginname
password='dyndnsloginpassword'
dpotd.gotdns.org

If everything is okay, wait a couple of minutes for the DNS information to populate and then you will be able to do something like ssh dpotd.gotdns.org or w3m dpotd.gotdns.org

ddlient is available in Debian since Sarge and in Ubuntu (universe) since Dapper.

Posted in Debian, Ubuntu |

9 Responses

  1. Ingo Wagener Says:

    ddclient might not be a bad idea, but you did well in pointing out that the password is stored in a plain text file! This is not only inherently insecure, but completely crazy!

    It might be an idea to write to the developer and at least suggest encryption.

    Anyway, thanks for bringing ddclient to our attention :)

  2. Vicho Says:

    Ingo Wagener said:
    > but you did well in pointing out that the password is stored in a plain text file! This is not only inherently insecure, but completely crazy!
    > It might be an idea to write to the developer and at least suggest encryption.

    The script must contact the dyndns service each time your IP changes and it must send your username and password to authenticate itself. If the password was stored encrypted, the script must had a method to decrypt it, and you could just use the same algorithm as the script to get the password.

    /etc/ddclient.conf is readable only by root and, while it’s not perfect, I don’t think it’s crazy. If some bad guy has already got root access to your home server there are a lot of things to worry about more important than “they pwn my dyndns account”.

  3. Paul Kishimoto Says:

    For people with several machines in their home network, there are several ways to do this. I have a Linksys router running DD-WRT, which actually includes ddclient. Then, I forward different ports to different machines; 10022 is SSH to my desktop; 11022 is SSH to my fileserver, etc.

    You could also forward all this traffic to one machine and then bounce through it to the others.

    Vicho, that’s what public key encryption is for. For example, when you set up an SSH key for use on another computer, you’re configuring automated login. DynDNS et al. could use SSH keys, and then you wouldn’t have to store a plaintext password. But that’s probably a lot of work for them, and in the end if you don’t have good physical/other security on your home system, it’s all for naught.

  4. it's me Says:

    So you suggest storing some key file instead of a plain text password? And why is this more secure? Either the key file is encrypted - not possible for automatic updates - or it is not, but then an attacker can just copy the key file instead of the password. And as Vicho said, if someone can gain unauthorized access to your password in the ddclient.conf file, you have a much bigger problem already. Btw, it is worth mentioning that ddclient supports SSL since 3.7.0 by setting ssl=yes in the config.

  5. Joeb454 Says:

    I think if your router supports it, it’s probably better to use that (it makes it easier anyway).

    My router for example - supports dynamic dns, and dyndns is among those listed on the router interface. So I simply use that, which works very well for me. I just port forward the necessary ports (http and ssh on a different port) and all works well :)

  6. Doug Peterson Says:

    ddclient comes in handy when a server is configured for virtual hosting, meaning multiple domains. Routers typically only handle a single domain.

    dyndns.com offers a configuration file generator for your registered domains. This can be found at: http://www.dyndns.com/support/tools/clientconfig.html

    Some other options I explicitly set are:

    syslog=yes # log update msgs to syslog
    mail=root # mail all msgs to root
    wildcard=YES # add wildcard CNAME?

    When I was having a cable internet access problem, ddclient became sort of a rudimentary downtime tracker. I had not intended that and there other ways to do it. It did give me data to schedule service and get a refund from my cable company on downtime.

  7. Mark Says:

    >Either the key file is encrypted - not possible for automatic updates - or it is not, but then an attacker can just copy the key file

    Someone hasn’t heard about ssh-agent. Granted, it would still be conceivably possible to get at the key, but it would be very difficult. Much more secure than you suggest.

  8. eof Says:

    I just registered with dyndns as a paying customer and their security practice really sucks. What they should provide is to be able to define a username and password for each host you register. That way a compromised host doesn’t necessarily mean that someone could hijack your whole domain.

    I really hope people would write and complain about this as otherwise they probably won’t change anything.

  9. Jackson Says:

    >Mark wrote:
    >>it’s me wrote:
    >>Either the key file is encrypted - not possible for automatic updates - or it is not, but then an attacker can just copy the key file

    >Someone hasn’t heard about ssh-agent. Granted, it would still be conceivably possible to get at the key, but it would be very difficult. Much more secure than you suggest.

    Doesn’t this mean that you have to be logged into that machine to get this to work? And if so, that will not work very well at servers.