Results 1 to 14 of 14
  1. #1

    Static IP for home for more secure server/site admin access who does it?

    I am thinking of going to the next level of security for my VPS and only allow DC and my home IP access via root. Who here has a static IP from home and uses it for more secure server access, website admin access etc? Shaw will give me one for $30/month more then I pay now ($20 if I go for a slower connection which is 5/512 vs 10/1).

  2. #2
    Join Date
    Dec 2004
    Location
    New York, NY
    Posts
    10,574
    Quote Originally Posted by Mac Write
    I am thinking of going to the next level of security for my VPS and only allow DC and my home IP access via root. Who here has a static IP from home and uses it for more secure server access, website admin access etc? Shaw will give me one for $30/month more then I pay now ($20 if I go for a slower connection which is 5/512 vs 10/1).
    pickup a $10 vps and use it as a ssh gateway

    much cheaper
    MediaLayer, LLC - www.medialayer.com Learn how we can make your website load faster, translating to better conversion rates for your business!
    The pioneers of optimized web hosting, featuring LiteSpeed Web Server & SSD Storage - Celebrating 10 Years in Business

  3. #3
    Quote Originally Posted by layer0
    pickup a $10 vps and use it as a ssh gateway

    much cheaper
    Then it would be in-secure and also low quality for that price. Also wouldn't be managed so I would have to manage it+my managed VPS.

  4. #4
    Join Date
    Apr 2004
    Location
    Australia
    Posts
    419
    Using a VPS as a proxy / gateway is a reasonably good idea, didn't come to me straight away haha, would be easy to secure this box to the needs of being a gateway and would require little maintenance.

    Failing this, use a dynamic DNS service, one that updates a domain name to your dynamic IP. suggested to google 'dyndns'.

    Possible security flaws: The only security of this method is a username and password and then anyone could use your domain name to get to the shell login.

  5. #5
    Already have a home network domain but it can't do reverse DNS so it's useless (which is what's needed for secure access).

  6. #6
    Join Date
    Apr 2004
    Location
    San Jose
    Posts
    902
    I have a static IP at home, and have locked my server down to only accept SSH connections from it and one other server I have access to.
    Specializing in MySQL and website tuning for high traffic sites. cmwsci.com/

  7. #7
    Join Date
    Apr 2005
    Location
    Oz
    Posts
    3,498
    I just change the SSH port or make the SSH Login list very restrictive, as well as run a brute force blocker. Limiting SSH access to one IP means you can only troubleshoot from that IP. What if your away, or what if theres a problem with your home connection and you need to access your servers?


    Alex

  8. #8
    Quote Originally Posted by sailorFred
    I have a static IP at home, and have locked my server down to only accept SSH connections from it and one other server I have access to.
    My dynamic IP doesn't change often, but the problem is that when it does changes (months/year??) I have to go in and edit countless .htaccess files to change my IP. Unless you got any tricks for a one click BBEdit setup. How have you locked down your server? Can you lock down SSH based on IP connecting to? like IP XXX.XX.XX.5 can only be used for root login while IP XXX.XX.XX.6 can be used for normal accounnt login but not root login (also thinking about SSH keys on top of this).

    So how do you have your security setup? I think being paranoid is very good and I have LiquidWeb Datacenter doing all the management and security monitoring.

    If I let Jailed SSH access (needed so I can kill FTP and require SFTP only) can I lock it down so they have to connect to XX IP and that IP doesn't allow root access etc?

  9. #9
    Join Date
    Nov 2005
    Location
    Minneapolis, MN
    Posts
    1,648
    Just use SSH keys instead of passwords for access. If a hacker can guess the private key for a 1536bit RSA cryptographic hash, then you've got bigger things to worry about.
    Eric Spaeth
    Enterprise Network Engineer :: Hosting Hobbyist :: Master of Procrastination
    "The really cool thing about facts is they remain true regardless of who states them."

  10. #10
    Do I have to generate SSH keys per account on the server? Also SSH Keys don't work for .htaccess so I would still need to enter an IP in the .htaccess file (which would be ok to change, but when you have 10-30 files…well then……)

  11. #11
    Join Date
    Nov 2003
    Location
    Auckland, New Zealand
    Posts
    584
    You can pick up very cheap $5 - 10 shell accounts. They give you an IP address and you're off. Most of them have ssh client installed so it won't be a problem. HOWEVER a quite a few of the providers put a clause in their contracts that you are not allowed to make SSH connections to other server using their system as an intermediary.
    BLUETRIDENT.NET - Reliable Shared, Reseller and Dedicated Hosting Solutions Provider
    Managed Hosting with Personal Service
    Highspeed Content Servers, Lighttpd, Ruby on Rails, Cluster Servers & Rich Web Application Hosting

  12. #12
    Quote Originally Posted by ImZan
    You can pick up very cheap $5 - 10 shell accounts. They give you an IP address and you're off. Most of them have ssh client installed so it won't be a problem. HOWEVER a quite a few of the providers put a clause in their contracts that you are not allowed to make SSH connections to other server using their system as an intermediary.
    Which means I am back to square one. Who here uses a static IP as part of there security setup to there VPS/Dedicade/etc?

    Anyone have a script that can do a search/replace server side (or for BBEdit) so that I can stick with a Dynamic IP and when it changes run the script to change the IP in all the htaccess files?

  13. #13
    Join Date
    Dec 2003
    Location
    ON, Canada
    Posts
    62
    Quote Originally Posted by Mac Write
    I am thinking of going to the next level of security for my VPS and only allow DC and my home IP access via root.
    Shouldn't the first level of security be disabling direct root access? It's the first thing I do when setting up a new server with sshd.

  14. #14
    Quote Originally Posted by STH-Peter
    Shouldn't the first level of security be disabling direct root access? It's the first thing I do when setting up a new server with sshd.
    I need direct root access for easy file access for /etc/ via SFTP using Transmit/BBEdit. I already run SSH on an alternitive port which hasn't been guessed yet and is high up there.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •