I currently have a static IP that makes it easy to admin my server from as I can add it to my firewall allow list so i dont accidently lock myself out. It also makes certain other admin work easier as I can script things to send to my home IP address.
I am now thinking of dropping Comcast as its getting super slow and moving to the 6Mbps DSL that is now available here (switch is close and they just laid new wire/fiber) and its $15/mo cheaper, but dynamic IP.
What should I consider when dealing with a dynamic IP?
Thanks
Full Version: Admin with dynamic IP?
QUOTE (ohvhost @ Jun 10 2007, 11:37 AM) 
I currently have a static IP that makes it easy to admin my server from as I can add it to my firewall allow list so i dont accidently lock myself out. It also makes certain other admin work easier as I can script things to send to my home IP address.
I am now thinking of dropping Comcast as its getting super slow and moving to the 6Mbps DSL that is now available here (switch is close and they just laid new wire/fiber) and its $15/mo cheaper, but dynamic IP.
What should I consider when dealing with a dynamic IP?
Thanks
I am now thinking of dropping Comcast as its getting super slow and moving to the 6Mbps DSL that is now available here (switch is close and they just laid new wire/fiber) and its $15/mo cheaper, but dynamic IP.
What should I consider when dealing with a dynamic IP?
Thanks
I use dyndns for this. The reason for this is because you run a program called ddclient, which updates your ip address with dyndns every few minutes. Once it changes the dyndns host will change your ip with their DNS. So the host is for the most part always pointing to the correct ip(with a window of about 3 minutes when your ip changes).
QUOTE (jjhurani @ Jun 10 2007, 05:18 PM)
I use dyndns for this. The reason for this is because you run a program called ddclient, which updates your ip address with dyndns every few minutes. Once it changes the dyndns host will change your ip with their DNS. So the host is for the most part always pointing to the correct ip(with a window of about 3 minutes when your ip changes).
but isnt the IP that my server would see me logging in from still be my dynamic IP? i'd rather not use a proxy to do admin work, who knows what they are capturing/storing. its great for sending stuff home, but not for me connecting to my box.
QUOTE (ohvhost @ Jun 10 2007, 05:34 PM)
but isnt the IP that my server would see me logging in from still be my dynamic IP? i'd rather not use a proxy to do admin work, who knows what they are capturing/storing. its great for sending stuff home, but not for me connecting to my box.
Yes the ip is still changing, but you could easily crontab something to get the ip of the hostname and allow it through the firewall every X minutes. You might also be able to pay a little extra for a static IP depending on your ISP.
I don't know if you have Linux or Windows servers, but if it is the former, you can allow all hosts to SSH, but disable password authentication and only use RSA Key authentication. I use it for passwordless authentication on several servers making life a little easier, although it can still be used with a password. Here's a howto for that: http://sial.org/howto/openssh/publickey-auth/
For other other services like MySQL, you are kind of stuck on that one. And for Windows administration, I have no idea so God speed.
For other other services like MySQL, you are kind of stuck on that one. And for Windows administration, I have no idea so God speed.
QUOTE (jjhurani @ Jun 11 2007, 11:11 PM)
Yes the ip is still changing, but you could easily crontab something to get the ip of the hostname and allow it through the firewall every X minutes. You might also be able to pay a little extra for a static IP depending on your ISP.
Unfortunately a static IP plan with the available DSL here is $30 more than what I pay for cable right now. Dynamic IP DSL is $34/mo, static IP cable is $48 and static IP DSL is $79. These are all for the 6mbps plans (which I need for my real job)
I'll look into the dyndns and options for grabbing my current IP
If your just trying to avoid those annoying sshd crackers, you could just move sshd to a non standard port. Then you dont have to worry about firewalling everyone out. Those who should have access will know the correct port.
That will stop script kiddies, but if someone with a mind bent on destruction with just a little knowledge on hacking can still figure out the SSH port with nmap or other tools. THe RSA key method allows only known computers to authenticate, even if it is on a standard port, so there's practically no chance of brute force attacks since password authentication is disabled.
To "hack" the sshd, you would need to actually cause a buffer overflow, then brute force the address and offset(not very likely).
I doubt anyone who is aiming at one particular target would ever try to crack passwords. Password cracking is done based on numbers, out of every 200 servers, at least one admin chose a horrible password. Why spend a month trying to crack a password of "$#@!%mabus1223", when you can spend 5 minutes and find one that used the word "camaro".
If they really wanted in, the best way to do it is to exploit one of your customers scripts, then to locally exploit the server and gain root.
I personally leave my sshd port open on a non standard port. But I also check my logs fairly often.
With the RSA method, if they gain root on the server with the RSA keys, now they have access to everything. Believe me, this has happened in the past. All ten of his servers ended up being compromised because of one server that had the RSA keys to all of the others.
I doubt anyone who is aiming at one particular target would ever try to crack passwords. Password cracking is done based on numbers, out of every 200 servers, at least one admin chose a horrible password. Why spend a month trying to crack a password of "$#@!%mabus1223", when you can spend 5 minutes and find one that used the word "camaro".
If they really wanted in, the best way to do it is to exploit one of your customers scripts, then to locally exploit the server and gain root.
I personally leave my sshd port open on a non standard port. But I also check my logs fairly often.
With the RSA method, if they gain root on the server with the RSA keys, now they have access to everything. Believe me, this has happened in the past. All ten of his servers ended up being compromised because of one server that had the RSA keys to all of the others.
Passless RSA can be problematic if the client host gets rooted. But if you have RSA keys with a password set, they're still not getting in. And if it's a script kiddy, the non-standard port will throw them off. It's just the dedicated "i hate you and your site" hackers that any extra level of protection will slow them down or stop them. BFD also helps in an effort to stop brute force, but I found it buggy lately. Personally, I setup an IPtables table which counts connections from a host to SSH in the last 5 minutes. If they're attempting to connect a 3rd time, packets get dropped until the 5 minutes are up. This prevents brute force attempts, too. And although strong passwords are the best way to keep things secure, consider it saving bandwidth by not returning those few packets back :-)
QUOTE (BlueFusion @ Jun 12 2007, 01:14 PM)
Passless RSA can be problematic if the client host gets rooted. But if you have RSA keys with a password set, they're still not getting in. And if it's a script kiddy, the non-standard port will throw them off. It's just the dedicated "i hate you and your site" hackers that any extra level of protection will slow them down or stop them. BFD also helps in an effort to stop brute force, but I found it buggy lately. Personally, I setup an IPtables table which counts connections from a host to SSH in the last 5 minutes. If they're attempting to connect a 3rd time, packets get dropped until the 5 minutes are up. This prevents brute force attempts, too. And although strong passwords are the best way to keep things secure, consider it saving bandwidth by not returning those few packets back :-)
lol "I hate you and your site".
Rather than going on with this forever, the moral of the story is there are several ways to secure your system. But short of unplugging the server and throwing it in a volcano if someone is dedicated enough they will get in. As an admin all we can do is make it as hard as possible.
QUOTE (jjhurani @ Jun 12 2007, 06:24 PM)
lol "I hate you and your site".
Rather than going on with this forever, the moral of the story is there are several ways to secure your system. But short of unplugging the server and throwing it in a volcano if someone is dedicated enough they will get in. As an admin all we can do is make it as hard as possible.
Rather than going on with this forever, the moral of the story is there are several ways to secure your system. But short of unplugging the server and throwing it in a volcano if someone is dedicated enough they will get in. As an admin all we can do is make it as hard as possible.
well the argument will never be resolved as we all have different ideas/solutions.
as for the dynamic IP issue, is suppose i can figure something out or have tech support drop my ip from the firewall if i end up locked out
QUOTE (ohvhost @ Jun 12 2007, 01:39 PM)
well the argument will never be resolved as we all have different ideas/solutions.
as for the dynamic IP issue, is suppose i can figure something out or have tech support drop my ip from the firewall if i end up locked out
as for the dynamic IP issue, is suppose i can figure something out or have tech support drop my ip from the firewall if i end up locked out
You could also just keep an eye on your ip address and watch how it changes... eg: are you always in the same b block, and such... At the very worst, you could add the entire 67.* a class to your iptables accept list.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.