jcsantos
By:
jcsantos

Limit the access to my site to a single dynamic IP

February 18, 2017 110 views
DigitalOcean

I have an ubuntu instance running @aws, and from them control panel | mobileApp I can update the only IP I want to access the website @port 80, 22 witch is my home IP but is dynamic, so 2 or 3 times a week automatically changes and I log in to update that rule.
Therefor I don't do any changes in iptables or nginx.
I haven't subscribe @digitalocean yet, so I'm here trying to figure it out if this thing is also that easy to configure here.

Thanks for any support.

2 Answers

@jcsantos

Currently, DigitalOcean doesn't provide a means to limit connections to a single IP or IP range without using a solution within the Droplet (i.e. a firewall, whether ufw or iptables). You'd have to configure this on your own once the Droplet is deployed and live.

I find this question confusing. Is the goal to connect to AWS, or is the goal to set up some service on Digital Ocean?

If you set up a Digital Ocean droplet on FreeBSD, logins use a key rather than a password.

I assume you would have to setup some sort of dynamic DNS scheme. Personally I don't like to do anything that I can't control 100%, so that would be a show stopper for me. That is, I wouldn't want to lock myself out.

There is nothing wrong with being paranoid, but I would set up an oauth scheme to lock out hackers rather than a firewall. Now that said, I have significant firewall blocking on some of my ports. For instance, geographical blocking on all email ports other than 25. I don't have a reason to retrieve my email from say Kazakstan, hence I block that country. This snares many a hacker.

You could whitelist your ISP, but IP space is bought and sold and hence dynamic. You could set up port knocking detection:
https://en.wikipedia.org/wiki/Port_knocking

My point is locking yourself out of your VPS is a situation where no one can save you. I'd rsync to another service so at least you don't lose your data.

Have another answer? Share your knowledge.