Thread Info
  • Locked Locked
  • Replies 4 replies
  • Subscribers 4 subscribers
  • Views 11299 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Configuring a cronjob...

JohnRobson

Fed up with the 'upgrade to a paid version' and 'confirm that you are still using this hostname' nagging of the free DynDNS providers I have put together a simple 'roll your own' dynamic DNS system, based on an NSD docker container and a trivial script which writes a zone file updated by SSH logins*.

 

I therefore want to be able to regularly ssh to the name server from my UTM - after faffing with /etc/crontab.dyndns and getting nowhere I realised that loginuser wasn't in the cron.deny file, it just wasn't allowed to run crontab -e.

I therefore ran crontab -u loginuser -e as root, and that allowed me to configure the crontab, which sprang into life - brilliant.

 

 

Two questions occur at this point...

 - Is there something obvious I should/could have done as root to load /etc/crontab.dyndns into the active crontab?

 - Is there a way to trigger the same ssh login in the event that I get an IP update (in which case I could reduce the crontab frequency)

 

 

 

* The server limits logins to SSH keys, and the key in use for this task is limited to running a single script.

The script takes the IP from the SSH connection, and uses the SSH_ORIGINAL_COMMAND (sanitised) as the hostname into a single subdomain of mine.

SO I just call:

ssh user@server -I dynamicDNSkey host

and the server recognises the key, sanitises 'host' and uses that as an entry in the domain zone file pointing to wherever the connection was made from.  It also increments the zone serial.

There is a second script that watches the config directory and prompts NSD to reload when a change is made.

 

Important lines from the script (bash):

DYNHOST=${SSH_ORIGINAL_COMMAND//[^a-zA-Z]/}

DYNIP=`echo $SSH_CONNECTION | awk '{print $1}'`

 

Yes I do know that the DYNHOST definition here limits valid hostnames well beyond the official DNS limitations (and that it doesn't check for things like 'not starting with a digit') but it is, I believe, a reasonably safe way of completely sanitising the input and avoiding injections.  Of course to get to the script you are logged on, or have managed to obtain my SSH key - if you think it is still vulnerable to injection then do shout...



This thread was automatically locked due to age.
Parents

  • John, I trust that this is a home-use situation...

    Yes, you do need to be root to edit files in /etc.  The only crontab file in /etc that is not overwritten by WebAdmin is /etc/crontab-static, and that's where I put anything I want to keep.  In your case, I would put my code there, but creating crontab-dyndns should work.

    Once you have your code loaded, you can cause crontab to be reconstituted in WebAdmin.  For example, change the 'Firmware Download Interval' to "Manual," [Apply], change it back and [Apply].  In order to do this as root at the command line, first note the current setting with cc get up2date system_download_interval then change it with cc set up2date system_download_interval 10.

    In any case, FreeDNS is still free, so that could save you some effort.

    Cheers - Bob

  • in reply to BAlfson

    Yes, home use, from a couple of different homes - Having DNS updated means that they can put up an IPSec connection easily.

    Although the DYN DNS does seem to work quite happily it will still take up to an hour to recover in the event of an IP change.

    I might try getting crontab to be rebuilt when I look again (whenever that is).

    Any obvious hooks to run to be triggered when the IP changes, or do I run a script which can call the SSH if the IP has changed or 24 hours have passed...

    What does the built in ddns do?

  • in reply to JohnRobson

    I think it triggers a change in one of the dynDNS services as soon as it sees a change in the IP assigned to it.  I doubt that you can make something that changes it faster in one of the services supported by the UTM.

    Cheers - Bob

Reply Children