Firewall Allow dynamic IP

Hi, I have a dynamic IP that updates a domain through ddns. I would like to set ssh to only allow that IP. I know I can use bash to update a file with an IP pulled but Hestia requires ip list to be 10 ips. Is there a way around this? Or can I use a cron bas script to update the firewall conf directly? Any ideas? Thank you.

If dyndns is down you won’t get in.

Maybe you should disable root login and change ssh port.

Even better, use keys to login.

Harden fail2ban for ssh. And punish recidive.

Allow only IPs from your country to connect via ssh.

Check the Hestia API. You may create and delete rules.

Knock.d setup…

I tried port knocking before, not a big fan.

Root is usually disabled (occasionally enable root to sftp)
fail to ban has been set more strict.
passwords are disabled and it is set to keys and users who can ssh are limited.
Port is changed as well.

That is a good idea! I can use bash to pull the ip from domain name and add it to the hestia api firewall rule command!!! So simple… Sometimes fresh eyes see what you don’t lol

Thank you!!!

for anyone looking for the commands to do this:

DYN_IP=$(host YOURDOMAINANME | awk ‘{print $4}’)
v-change-firewall-rule 10 ACCEPT $DNY_IP 2244 TCP SSH <(open hestia filewall rules file to get rule #)

Remember to use hestia’s Cron instead of system’s cron

I know hestia wipes crontab but what about cron.daily cron.weekly so forth?

hestia only wipes user crontab, not system - so you can use them.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.