Accessing IP restricted server from dynamic IP
Solution 1:
The bellow script would ping your dynamic address and grab the ip only and then compare against the ip stored in last_ip.txt, if they are different the ip in hosts.allow will be removed and replaced with the new ip aswell as the ip in last_ip.txt.
You can then set this code on your crontab to run every 5 minutes or 10 or whatever you seem fit.
It is not as complex and might solve your problem...
#!/bin/bash
DYN_IP="www.google.com.br"
CMD=$(ping -c1 $DYN_IP | head -1 | awk -F' ' '{ print $3}' | sed 's/(\|)//g')
FILE="./last_ip.txt"
NEW_IP=$CMD
if [ -e $FILE ]; then
OLD_IP=$(cat $FILE)
else
OLD_IP="0"
fi
if [ $OLD_IP != $NEW_IP ]; then
echo $NEW_IP > last_ip.txt
sed -i "/^sshd: $OLD_IP/d" /etc/hosts.allow
echo "sshd: $NEW_IP" >> /etc/hosts.allow
echo "Allow ip changed to $NEW_IP"
fi
Solution 2:
My current solution for this is webknocking where I first make a request to a special web page (optionally with my user/pass) that opens up the SSH gates for the IP that I request from. This is how I ssh into some of my servers from my phone. This keeps the extra software involved to a minimum so I could sit down at some cafe computer and authorize it for standard ssh access in a few seconds, but keeps the intruders from even being able to play with my ssh port. A drawback of any knocking solution is the extra point of failure. My safety net is a few hard coded IP's that are allowed access and if something goes wrong with the knocking scripts or web server that handles them, I just have to use one of the other machines that has permanent access to get into and fix the broken box.
Alternatively some dynamic ip systems have "hooks" or "callbacks" that can be used to get an automated notification of IP address changes. This could be via email or an http request that could be used as a "knock". Alternitavly you could script this on the local end so that whenever your network scripts run or local IP changes, you automatically fire off some kind of knock or trigger that forces and update of dynamic ip access list.
Solution 3:
I can understand your concern about 3rd parties playing with an open SSH port. I have solved this in a different manner. On my private server, the SSH port is open to everybody, but it is monitored by fail2ban, a smart little package available for debian (and probably most other distros, too). As soon as somebody fails to log in after 3 attempts from the same IP address, that address gets blocked in the firewall for several days.
Ever since I installed this, I had peace and quiet on my server. And I can still log in (using my key from a USB stick) from anywhere in the world.
If you are the only one logging in to that server, you could also do a simple port forward in the firewall or run sshd on a different port.
Solution 4:
I'd suggest port knocking as an alternative, alternatively rent a ssh account on a 3rd party server and SSH from there.
Solution 5:
I would approach this from a different way. Rather than having your servers each maintaining a list of whitelisted IPs, I would configure them all to only allow ssh from "internal" IPs. Then setup a separate gateway/landingpad host that you can VPN in to. Now, you can bounce through that box to reach the rest of the servers securely.
This limits your attack surface to a single box, instead of all of your boxes. Additionally, many/most VPN solutions allow you to enhance the security requirements for a connection, using certificates, two factor authentication, and other things along with (or instead of) simple passwords. All in all, this will give you greater security, greater flexibility, and much better maintainability.
There are a number of VPN options available (I'm a big fan of OpenVPN, myself) that you can use to properly setup a secure access point for your devices. Many of them are relatively easy to setup, and for a small setup like this, they require minimal resources.