0

I recently leased a Ubuntu 22.04 VPS server from a data centre in France. My office PC that links to this server is in Ireland.

My mobile internet IP seems to be static, i.e. it is the same from day to day - at least recently, as I haven't been checking before this.

After doing the basics, e.g. establish new user sudo, update system, etc I enabled ufw and established general access to port 80 and to port 22 but only from my own IP address, xxx.xxx.xxx.xxx/24.

The code went like this:

$ sudo ufw allow 80

$ sudo ufw allow from xxx.xxx.xxx.xxx/24 to any port 22 proto tcp

$ sudo ufw enable

Now after doing this, I exited the server and tried logging in from my home PC. I successfully logged in.

Today, I try to log in again but find my efforts blocked:

$ sudo ssh -p 22 [email protected]
ssh: connect to host xxx.www.yyy.zzz port 22: Connection timed out

A curl test shows no connection either:

$ curl -v telnet://xxx.www.yyy.zzz:22
*   Trying xxx.www.yyy.zzz:22...
* connect to xxx.www.yyy.zzz port 22 failed: Connection timed out
* Failed to connect to xxx.www.yyy.zzz port 22 after 129791 ms: Connection timed out
* Closing connection 0
curl: (28) Failed to connect to xxx.www.yyy.zzz port 22 after 129791 ms: Connection timed out

What am I doing wrong here ?

Surely if I coded it incorrectly, I would have been blocked on the login just afterwards rather than a day later . . .

I am wondering . . . must I explicitly allow ssh access on ufw before applying the restriction on calling IPs, e.g.

$ sudo ufw allow 80

$ sudo ufw allow ssh

$ sudo ufw allow from xxx.xxx.xxx.xxx/24 to any port 22 proto tcp

$ sudo ufw enable

EDIT

I acted on suggestions that my IP may be dynamic - although my IP seems to be the same over the last few days. I could have tried the IP address without the /24 subnet but I didn't want the hassle of reinstalling and reconfigging the server all over again. So I just enabled ssh on ufw via

  sudo ufw allow ssh

This allows ssh network connections and SFTP transfers - though without restriction on the IP of the client device. Ideally i'd like to restrict the IP access to my server to only 2 machines, my home workstation and some mobile device.

Improve this question
17
  • 1
    Your home IP changed?
    – vidarlo
    Commented Jun 14 at 11:09
  • As far as I know, the IP can only change within the allowed range, i.e. /24 or any xxx last number.
    – Trunk
    Commented Jun 14 at 11:17
  • instead of sudo ufw allow from xxx.xxx.xxx.xxx/24 try sudo ufw allow from xxx.xxx.xxx.xxx - doesn't make sense to allow from your whole subnet unless you "own" it - is xxx.xxx.xxx.xxx a private IP address?
    – Jaromanda X
    Commented Jun 14 at 11:17
  • @Trunk Your knowledge is wrong. There may be any number of IP subnets on the same physical segment, and you have no control over how your ISP allocates IP's. Add carrier grade NAT to the mix...
    – vidarlo
    Commented Jun 14 at 11:19
  • 1
    More or less correct. You could look up what IP ranges your ISP has, and maintain that list, but probably not worth the effort. Rather go with disabling password and using keys for authentication.
    – vidarlo
    Commented Jun 14 at 11:23

2 Answers 2

Reset to default
3

The IP/24 is most likely your local subnet - private subnet. Something like 192.168.0.50/24. Your ISP will own any number of IPs from any number of public subnets they may own. If your home has a dynamic IP, I would suggest you don’t block port 22 based on IP. Some ways you can secure your server are:

  1. Disallow root logins and have strong password for all ssh-enabled users
  2. Add 2-factor authentication to SSH using pam.d - see “ssh google Authenticator” for an example
  3. Require a valid VPN session and allow ssh only from within the VPN tunnel - this adds complexity with arguably very little security for a single internet facing server like yours
  4. Use only ssh keys and disable password authentication altogether

Actually options 1+2 and potentially +4 will be good enough. You do not need to block off port 22 from the world, especially since you have a dynamic IP (assumption here, but an educated guess).

Improve this answer
2
  • #1 - done. #2 - possible but not yet done. #3. No VPN used until now, unsure of its benefits. #4 - already using password and key which must be more secure than key alone. If I establish that my mobile internet IP is static, what might I do then ?
    – Trunk
    Commented Jun 16 at 13:07
  • 1
    If it’s mobile internet IP, by design it’s not static. I only know of one ISP in the world providing static mobile IPs, and it’s extremely expensive. In any case, it’s most likely dynamic, just keep the port 22 open and with 1,2,4 options you are safe enough. No need to add firewall IP-based protection.
    – Robert Glonek
    Commented Jun 16 at 17:47
1

As others have said, allowing access to your mobile device is likely to be difficult via IP. A better option would be to configure something like Wireguard as a VPN, and then your mobile connects to the VPN and uses a private IP to connect to the server. This way you only need to expose the Wireguard port to the world, and you gain additional security.

Improve this answer
2
  • Just got through to my mobile ISP. They say I can't get fixed IP access using mobile broadband even though my IP is fixed. Something about SIM plans not allowing it.
    – Trunk
    Commented Jun 20 at 14:02
  • Exactly - so don't bother. Set up wireguard and then your mobile appears as within the network from the server's perspective.
    – shearn89
    Commented Jun 20 at 15:37

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .