4

I often discover that my IP address (Google what is my IP) has changed thus SSH into my EC2 fails since it accepts SSH from my IP address.

What are my options?

1) Ask my ISP for a static IP address?
2) Open EC2 to accept SSH from 0.0.0.0/0 - relay on the private key.pem file only?
3) Keep changing my IP address in the AWS security group as well the other hosting company for my MongoDB.

Any other suggestions?

Citizen
  • 1,103
  • 1
  • 10
  • 19
Fred J.
  • 161
  • 2
  • 9
  • 7
    Personally, I don't see the problem with having SSH open to the world, perhaps on a different port to avoid your SSH connection being DOSed by all those brute force login attempts. – Halfgaar Oct 30 '16 at 19:20
  • 1
    Before I got a static IP for my home machine, I found that my dynamic IP always stayed within the same class C block, so I just opened access to that block (i..e. 10.100.20.0/24). Even if you had to use a /16 or even a /8 you'd still be blocking access from most of the internet. – Johnny Oct 31 '16 at 05:55

4 Answers4

11

Go with #3. It's trivial to write a small script you can run that will:

  1. Fetch your current public IP
  2. Use that IP and awscli to update your security group

Stick this script on your desktop and you're two clicks away from updating your SG. Or even better, run it via cron on the hour.

EEAA
  • 109,363
  • 18
  • 175
  • 245
7

While the other 2 answers are providing a more secure solution, I would recommend option 2, provided you do not allow to use passwords in SSH, only public key. You also need to make sure that all users with public key loaded know how to secure them and detect if they have inadvertently disclosed their private key.

The reason for option 2 is:

If this server does anything half productive, then the reduced response time from accessing it from anywhere with your laptop or even your phone to diagnose or fix is worth the slight reduction in security layers. Having to drive or even fly home in an emergency can be a deal breaker. Of course mileage will vary with team size, but your question sounds like you are the only one accessing it.

jdog
  • 121
  • 7
  • 29
2

I have a better solution for you, let call it number 4:

  1. Run OpenVPN server on your EC2
  2. Configure your security group to allow OpenVPN connection from whole internet
  3. Access your ssh only via OpenVPN.

You can use your ssh from anywhere and it will be hidden for all bad bots. Of course you have to auth yourself to VPN with certificates you will generate for yourself and you have to keep your private keys really private.

Jai Chauhan
  • 127
  • 5
Ondra Sniper Flidr
  • 2,653
  • 12
  • 18
  • 2
    Or just use public key auth with SSH. It's just as secure as OpenVPN. – Navin Oct 30 '16 at 23:06
  • 1
    @Navin The point is that putting ssh behind VPN adds another layer of security that must be breached before possible compromise. – EEAA Oct 30 '16 at 23:33
  • 1
    If he runs the OpenVPN server on the same EC2 machine as his ssh server, then he's not adding an additional layer of security, he's adding a different layer of security -- if someone breaches OpenVPN, that may be as bad as breaching ssh. To make it an additional layer of security, host the OpenVPN server on a different machine – Johnny Oct 31 '16 at 05:49
-3

Other option maybe to add a new user with random name to sudoers, say "myn1cknamez". Then in opensshd server you disabile passoword key and disable root access. Then at the end of the /etc/ssh/sshd_config you add:

Match User myn1cknamez

PasswordAuthentication yes

If you want to input your password..

Or you can even match user to enable password less login once you exchange your key with this user on your VM

x86fantini
  • 302
  • 1
  • 3
  • 9
  • Why you people downvote my answer? If enything wrong juat say it..how am i supose to learn if no one tella me nothing – x86fantini Oct 31 '16 at 05:43
  • 3
    This doesn't solve his problem - he has a valid SSH key that will let him log in to the machine, there is no reason to use a password. What he needs is to find a safe way to allow him to access the machine when his ISP assigns a new IP address to his SSH client machine - he doesn't want to open up the machine to allow anyone in the world to connect via SSH. – Johnny Oct 31 '16 at 05:52