-1

This is probably a dumb question as I am a developer rather that a sysadmin, but here is my situation:

I have a client for whom I created a site hosted on a server in the cloud. I configured hosts.deny to deny all and hosts.allow to accept only connections from my home and a server at work.

My fear is that I could someday become locked out of this server as my home IP changes occasionally.

Is there any (super cheap) kind of service that would allow me to ssh into the server from a known IP in the case that I became locked out of the server?

I've considered a micro-instance at ec2, but the cost over time is not trivial. Any other clever suggestions are welcome.

Thanks!

nedblorf
  • 109
  • 2
  • 2
    dyn-dns and similar could give you what you need, but configuring public-key access only + fail2ban should be good enough – dawud May 14 '13 at 11:12
  • 2
    Another solution is to have a CGI script on a web page that is password protected, and which when you connect and authenticate to it will store your ip address in a file. Then have another script that will look in that file and add the address in it to hosts.allow. Do a web search for "ssh web knocking" for implementations. – Jenny D May 14 '13 at 12:10
  • 1
    When you get locked out, fire up an EC2 micro instance (which'll have a fresh IP) and use that to log in and unblock your personal IP. Easy and it'll cost you $0.02 if you can do it in less than an hour. :-) – ceejayoz May 14 '13 at 14:22

3 Answers3

3

I have a client for whom I created a site hosted on a server in the cloud. I configured hosts.deny to deny all and hosts.allow to accept only connections from my home and a server at work. My fear is that I could someday become locked out of this server as my home IP changes occasionally.

That you're assuming the solution to this problem is that you need a second server with a static IP to begin with really seems strange. For example, my home server is set up like this:

  • denyhosts makes sure malicious SSH logins are blocked -- the whole Internet is welcome to try but if you fail five times, you are banned forever (or until manually reset)

  • non-standard SSH port to avoid the majority of bruteforce bots out there

  • user "root" is disabled

For an enterprise solution, I would add the following:

  • Set up passwordless key-based authentication (don't lose the key)

  • Whitelist the IP-ranges for the ISP or country of you and the server at work, making dynamic IP a non-issue but still keeping anyone else out.

Even if you think this solution is way off, I would suggest you re-think the sanity of getting an entirely separate server just to bypass a badly configured blacklist.

pzkpfw
  • 318
  • 2
  • 12
1

Maybe you could speak with your isp about getting a static IP, some of them do offer services like that.

Alternatively i think EC2 Elastic ip might be useful: http://aws.amazon.com/articles/1346

Keep the ip address in EC2 and create a micro instance in case you loose access from home. You will only need to pay for the time the micro instance is up.

EDIT: Note that the ip address while not in use will cost 0.005 dollars per hour. This is not much however.

Also, this could be used as a complement to 5 try then block setup that bigbadonk420 mentioned. (In case you are clumpsy)

nenne
  • 189
  • 6
1

You can use hostnames / domains in your hosts.allow. So using a dyndns provider like dawud mentioned is a good approach.

Pascal Schmiel
  • 1,728
  • 12
  • 17