I'm currently working for a startup company who maintains a server on AWS. Currently, our server is set up so that in order to access it via SSH, you need to be on a white listed IP (set up in AWS) and have a valid RSA key to connect.

However, the current developer we are working with has a dynamic IP that changes from day to day, which makes maintaining the white list a time-consuming endeavor (different time zones, communication, etc.).

How much of a security risk is it in the short term to drop the white list while we work with this developer?

Note: The server currently doesn't contain any truly sensitive data (just some proprietary code), however in the near future it will.

Scott F
  • 51
  • 2

2 Answers2


How much of a security risk is it in the short term to drop the white list while we work with this developer?

Quite much none, if you and the other developers protect their keys (store encrypted files, have encrypted hard drives) and password authentication is disabled in the SSH server.

If you disable password authentication, the targeted attack using guessing public key (and private key) does not make sense, unless somebody leaks the private key (somebody computer is infected by some virus/malware or stolen with unencrypted key/hard drive).

Note, that you can set at least others developers keys to be accessible only from specific IP, by prepending from="pattern-list" in front of the public key in authorized_keys file. Since it can contain also patters, you can create a mask for your "dynamic" developer too.

  • 5,229
  • 16
  • 31
  • Thanks for you insight! I'll look into prepending from="pattern-list" to some of the other developer's keys, as I personally can't verify their security practices for keys. I'm assuming, to make a key only usable from a specific IP address, I simply replace "pattern-list" with "ip-address"? – Scott F Aug 04 '17 at 19:17

As long as it is set up properly and uses strong keys, the risk is extremely low.

SSH key authentication is sufficient for protecting an SSH server that is exposed to the internet.

I also suggest using fail2ban, as well as configuring your firewall to limit SSH connections.

ufw limit 22 if you're using UFW and port 22.

IP whitelisting is extra hardening. Perhaps you could find the range of IPs that the developer's ISP allocates from and whitelist the whole range?

  • 425
  • 1
  • 3
  • 10
  • Thanks for your insight! I had considered whitelisting a range of IP's, but based on his comments it appeared that this method was unfeasible. The server currently is set up with an open http port as well as the aforementioned SSH port. Will fail2ban just affect the SSH port, or might it have an adverse affect on the open http port as well? – Scott F Aug 04 '17 at 18:45
  • 1
    Fail2ban reads from auth.log and temporarily blocks IP addresses that have multiple failed authentication attempts. Your web server should be fine. If for some reason your web server is authenticating users against the Linux users or groups, you may have issues, but this is an unlikely setup. – jamieweb Aug 04 '17 at 18:54