How can I restrict SSH access when the source IP is dynamic

Solution 1:

I would recommend losing the IP restriction and require both key based and password based authentication to login. I think this would get you better security in the end and then you won't have to worry about dynamic IPs.

Solution 2:

You might want to consider port knocking http://en.wikipedia.org/wiki/Port_knocking and http://www.zeroflux.org/projects/knock to allow the opening of specific dynamic IPs for a limited time and revoking them later.

I haven't used this method personally, but there are some good looking examples on the site.

Solution 3:

How many staff with dynamic IPs? If a small number, you could just pay for them to have static IPs and you keep your security policy intact and config simple. I'm sure you already considered that.

If you are willing to loosen some policies, you could in theory find out your staff ISP subnets and limit access to those, which may reduce exposure significantly, although I think this would be an unusual approach.

If you are serious about securing SSH you should be looking at key logins only, with some requirements that the keys are password protected, and possibly even expiring them on a scheduled basis.

Don't give your SSH users root access. Use sudo to give access to root type commands. Use logwatch or similar to keep an eye on what is going on.

Also, this is a web server - your default config of SSH is probably far more secure than other aspects of the system you are deliberately exposing to the internet, even if a compromise would be more serious. Don't forget about securing the rest of the server and the code you run on it.

An excellent guide to securing a Linux server can be found here. Specifics are CentOS/RedHat, but it goes over a lot of options common to all distros.