dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
15
share rss forum feed

Sajan Parikh

join:2011-03-05
Walcott, IA
reply to Sajan Parikh

Re: [IA] Dedicated IP from Mediacom?

Keep in mind, I'm not looking for an A record to stay updated with my current IP.

I'm looking for my outbound connections to be from the same IP.

These are two different things. So services like DynDNS and DNSExit are not applicable.

The cron jpatton is talking about may work, but with the amount of servers and iptable rules that are on each...make me weary of doing it that way.
--------------------------------------

I've had the same dynamic IP for a while as well. However that's certainly not something I can rely on.


OldCableGuy

@communications.net
Security as you've described is extremely insecure. Source IP can be spoofed extremely easy and then all your iptables rules are completely null and void. Why not just set up SSH keys like everyone else since the end of the 20th century and be done with it? There is no way to break a 2048 bit SSH key and you can configure SSH to only allow your key to connect.

Sajan Parikh

join:2011-03-05
Walcott, IA
It's not an either/or proposition. We of course use SSH Keys, but again that is for the authentication. I was looking for a way to drop the packet completely if it was from an uknown source...before SSH keys would even come into play.

Also, access to this server isn't simply by SSH. So the other software that we're connecting to on the server doesn't use SSH authentication, which is why this is being done on the firewall.

However, I think I'm going to just keep doing it the way I have been. Rather than getting a static IP from Mediacom, I'll just setup other VPNs in other geographic locations. That should give me the same redundancy.

Plus other people that work for me around the world all have static IPs that are whitelisted...so I shouldn't ever get into a situation where I'm completely locked out of my system.

If I do...I guess I'd just need to drive out to each datacenter or call their remote hands.
----------------------------------------

I should be fine, would still have preferred a static IP from mediacom for $6-8/mo though.


OldCableGuy

@communications.net
Obviously you don't know this but you can tunnel anything through SSH so you put one SSH server in the DMZ connect to that and then tunnel to everything you want to administer. No static IP addresses required, secure enough for PCI, and SOX audits. Problem solved, nuff said.

Sajan Parikh

join:2011-03-05
Walcott, IA
lol, that's how I have it setup now. The point of this thread is for what happens if that SSH server goes down.


OldCableGuy

@communications.net
Round Robin DNS to a pool of SSH servers? Load balancing frontend? Just spitballing ideas of how to do this correct instead of some static IP kludge.
Expand your moderator at work

Sajan Parikh

join:2011-03-05
Walcott, IA

1 edit
reply to OldCableGuy

Re: [IA] Dedicated IP from Mediacom?

To be honest, the other solutions your spitballing are more kludge than static IP.

If I had a business account with Mediacom, I'd use a static IP. That's how I have it with other providers, and that's how businesses with Mediacom do it.

Asking for a static IP is not a workaround, that is THE solution. Just the status of my account prohibits me from getting one from Mediacom.

Edit: When I say that is "THE" solution, I don't mean in terms of overall security.

I'm talking about getting a static IP is what anybody would do first before any sort of DNS round robin.


OldCableGuy

@communications.net
So what happens when you're traveling and don't have access to your static IP?

Your lack of planning tells me you have not thought this through much at all if at all, period.

Also you clearly have never heard of IP spoofing, I could send packets to your device forged as any IP on the net if I wanted to.

What you're suggesting is the same as turning off all encryption on your wifi and doing MAC filtering, laughable security at best.
Expand your moderator at work

Sajan Parikh

join:2011-03-05
Walcott, IA
reply to OldCableGuy

Re: [IA] Dedicated IP from Mediacom?

said by OldCableGuy :

So what happens when you're traveling and don't have access to your static IP?

Your lack of planning tells me you have not thought this through much at all if at all, period.

Also you clearly have never heard of IP spoofing, I could send packets to your device forged as any IP on the net if I wanted to.

What you're suggesting is the same as turning off all encryption on your wifi and doing MAC filtering, laughable security at best.

I'm not sure if you're read the thread...but I'm not looking to replace my already existing VPNs and VLANs to simple iptables IP blocking.

Also, I'm not entirely sure where your attitude comes from.

My simple question was if Mediacom could provide me a static IP. Can source IPs be spoofed..yes, does that mean nobody should use them as a security layer even if it adds very little benefit? No.