Enabling SSH for dynamically ip address

Kevin Danneels
Kevin Danneels used Ask the Experts™
on
Hi Guys,

My first post on Experts Exchange! I'm having a little question, and it's gonna be silly.

A customer of us wants to have SSH access to a Linux server of our shared customer. I've already setted up the ip object in our Draytek router.
This is the public ip address they gave me when i asked them about it. Address type is single. The next thing i did was go to the filter setup in the firewall. I've added the source ip object into the passed group. My problem now is, they don't have a fixed ip address. So i guess i have to set it to dynamically. I know this isn't good because of the attacks we could get, but they gave me permission.

What is the best method to do this?

Thanks in advance

Kind regards,

Kevin
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
SouljaSr.Net.Eng
Top Expert 2011

Commented:
Have you considered using a dynamic dns service? Like No-Ip or Dyndns.

Author

Commented:
No i didn't. Doing some research about it now.
Distinguished Expert 2018

Commented:
Soulja's suggestion is going to be the only way that makes sense given the current set up. Otherwise, that company would need to get static IPs (more a question of whether it makes sense to get a static IP solely for that SSH access).
Why Diversity in Tech Matters

Kesha Williams, certified professional and software developer, explores the imbalance of diversity in the world of technology -- especially when it comes to hiring women. She showcases ways she's making a difference through the Colors of STEM program.

As long as your IP (with the server behind) has a fixed IP its ok.
The client (who wants to access SSH to your server) does not need a fixed IP.
But I see your problem, you want to filter it, so only SSH from that particular IP can access your server.

As long as the ssh server has good passwords set, I don't see any problem/security issue.

There would be a few things to make it more secure, like client certificates and use a different PORT on the Firewall and reroute (NAT) it internally to 22 again.

regards
Thomas
David FavorFractional CTO
Distinguished Expert 2018

Commented:
Tip: You can simply ignore the entire consideration of ssh attacks these days.

Many Distros already install Fail2Ban, which blocks brute force ssh attacks.

If missing, install Fail2Ban, which will by default enable ssh attack blocking.

Tip: I normally change the default rule to block for 24 hours after 3x failed attempts within 1 hour.

If you use Fail2Ban, just provide the person wishing to login with the current IP. So long as the IP can be reached, they can login.
You can still use fail2ban, but it's still a good idea to change the external port for ssh if it's not a public ssh server.  That will reduce the script kiddie attacks and keep your logs small.  This way only dedicated attackers will show up in your logs and make it easier to identify and you will have less noise in the logs and less traffic to worry about.

If you don't expect connections from certain countries, you should also just firewall off the IP and only allow connections from certain expected IP ranges, once you figure those out.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial