1

I have many servers on different providers. On each server I have permitted ssh access to port 22 only to a whitelist of IPs.

If I need to change/add an IP address I must change the configuration in each server... are there any solutions for a centralized IP whitelist? Maybe based on a DNS TXT record, that way I just need to change that DNS record to update all whitelists on every server.

Thanks!

nulll
  • 505
  • 1
  • 5
  • 8
  • 1
    IP-whitelisting is usually done on the IP-level, thus you need firewall rules. DNS should not have anything to do with that, it's a much bigger point of attack this way (if clients read the list, they can attempt IP-spoofing). You could add a cron-controlled script on the servers that regularily checks for and if existant downloads a script with iptables commands from a secure, centralized location and then executes it and then replies back that it has updated the fireall back to the central server (with timestamp and hostname for example so you can keep track of updates). – Broco Mar 15 '18 at 11:50

1 Answers1

0

Centralized Management

The first thing that comes to mind is Ansible. It can learn information about your hosts and help you keep track of them and what is running on them. That might be a good place to manage sshd and firewall configuration for your hosts.

Another simpler method could be to have an HTTPS url that requires some method of authentication and has a simple text file of IP's and CIDR blocks you want to permit access. Your hosts could simply fetch that read-only file and apply using whatever scripting or tools you have on each host.

Aaron
  • 2,809
  • 2
  • 11
  • 29