I actually had to maintain one of those for a while. But yeah, for small, tech-oriented group, if you denyhosts and protect against brute force, enforce certs only, it can be done, works ok. But it’s not trivial and doesn’t have a lot of upside.
Nobody is “shoulder surfing.”
You are right for some cases and painfully wrong for others. Shoulder surfing is absolutely a very real concern for plenty of industries, including ones like game design and mobile device design.
If you honestly think there are no blackhat guys trolling the coffee shops outside blizzard or an NSA office to shoulder surf - then you are just revealing your ignorance.
There is no conspiracy among ISPs to rotate IPs in order to sell static ones.
It’s not a conspiracy, it’s just a method of making sure a service they don’t really have a reason to charge for can be charged for and it has literally always been that way. SOURCE: used to work at an ISP.
Some change, some don’t.
Not really, they all change unless you pay for it, never seen it otherwise except for very small carriers that service very remote areas.
As I said - different businesses have different use cases. Some allow working from home but not from random locations, plus they use a work laptop, not a personal device.
How many exploits on SSH? Wanna hop into shodan and see how many insecure instances are up for grabs? Ssh on a public network is dumb, I didn’t say anything, it’s OP company that is filtering the access by IP 
You may want to re read the primary post. Op is trying to ssh into a corporate machine and the issue is their isp, bell, regularly updates and changes OPs ip address which interferes with the business whitelists.
What does shoulder surfing have to do with IP whitelisting? If you’re actually worried about that, then don’t allow your IP off site – obviously.
OP has a very specific requirement of ssh’ing in. No real business has the arcane use cases you dreamed up for argument’s sake.
Right and? Doesnt change anything. They can still whitelist by Hostname with a dymamic IP meaning OP could provide corp IT with hostname to whitelist instead of IP address.
I literally install firewalls and servers or a living, Many including Watchguards and Open Source firewalls like PFSense for example can do this.
For those that cant there are tons of solutions. For starters scripts like this one listed here https://serverfault.com/questions/937248/iptables-whitelist-dynamic-ip-by-hostname
However, the real solution should be corp to implement an in house VPN solution so whitelist isnt required at all. Just make them VPN in and problem solved.
If you or their I.T. dont know how to do this. Than maybe you are in the wrong profession. It is clearly possible to do with reserve DNS lookup or DIG commands and a simple script.
Now you are just being obstinate and dismissing everything you don’t agree with, good luck with that in this industry.
Don’t let that willful ignorance hurt you too bad out there.
And speaking as someone who does firewall engineering. Though I agree most of the time you can whitelist via hostname, doing so on a Cisco platform without firepower will most likely be outside the realm of their abilities. Now a Sonicwall, Palo Alto platform or juniper.
So yes it can be done, OP needs to reach out to see if they can whitelist based on url, assuming they’re doing it at the firewall and no directly on the ssh server. Seeing as they’re exposing port 22 to the internet there’s a high likelihood that they’re probably whitelisting on the server as both are considered very insecure.
Judging by your domeanor and assuming you have the only answer I pray you aren’t customer facing.
Judging by your domeanor and assuming you have the only answer I pray you aren’t customer facing.
And you can keep praying. I literally have my own MSP business and deal with customers all the time. Zero issues because my clients know that I have the experience and have shown I know what I’m talking about which is why I retain my clients.
So judge however you want. The success of my business says otherwise. Nothing that I have said is incorrect and the REAL solution is for their business to implement a VPN solution period or DYNDNS period.
Did I strike a nerve? You had to bust out the “I have my own MSP” and sweetie, anyone can have an MSP, it’s nothing special. But I hope your company continues to do well in spite of your attitude.
And I don’t disagree with you that the best solution is the company spinning up a VPN platform. Dyndns is another method, a vps to attain a static IP is another. A Dyndns entry and vps with a static IP achieve the same solution in different ways. I’m sorry you can’t understand that. I’ll make sure to avoid your MSP
Did I strike a nerve? You had to bust out the “I have my own MSP” and sweetie, anyone can have an MSP, it’s nothing special. But I hope your company continues to do well in spite of your attitude.
Cute but no.
And running a successful business from the ground up isnt easy. Go ahead and do so for 5 years straight and being profitable than you can speak.
I simply stated facts, regardless of how you “took an attitude over the text” comes out for ya. Doesnt change the facts.
I find it funny you got tilted by the fact I backed up what I said with data and showed how its clearly possible to do. All I said is if you didn’t know that, you were in the wrong profession. Again another fact.
Honestly not that hard to run a business especially if you have the demeanor to back it. And I never claimed everyone’s MSP is successful, I just simply said I hoped yours was because with your attitude I wouldn’t touch or recommend your company. You give a very fly by night vibe and I don’t doubt your company probably has the same vibe. Like I said, you had to bust out the “I run my own MSP” to feel like you had cred to back yourself up. You remind me of this guy I knew. Claimed he had a golden tongue and coined the phrase “honhoneyd*cking” and ran his own MSP. Ended up going from owning 2 homes and a Mercedes to crashing on his exs couch driving an accord.
If you REALLY wanted to back up your claim, you’d identify OPs company firewall, convince and write the proper rule set for OPs business to allow use of FQDN. But again, without knowing you can’t for sure know where the whitelisting occurs. Surely someone with a successful MSP has seen companies put their whitelist on their server and just left the port forwarding wide open for that server. And may not be an expert like you but I doubt a Linux box can do FQDN whitelisting for ssh.
Honestly not that hard to run a business especially if you have the demeanor to back it
Talk is cheap. Go run your own profitable business for 5 year than you can speak on that subject.
Again it’s not that hard, even a dolt like me makes plenty of money running their own business and a lot of it comes from not being a jerk to others when they have other ways to achieve the same goal.
Clearly your way works fine running your MSP. I bet your employee retention is better than average, bonuses are flowing and everyone is happy! Still I wouldn’t do business with your company especially if I had to deal with your fly by night vibe.
Again it’s not that hard, even a dolt like me makes plenty of money running their own business and a lot of it comes from not being a jerk to others when they have other ways to achieve the same goal.
And again, talk is cheap. Do it than you can talk. 45% of businesses fail in the first 5 years. So start your own, reach that mark than you can talk.
Until than nothing you say matters. If you think its that easy, than it shouldnt be hard, go for it. I will bet you wont get off the ground.
If it was that easy, everyone would do it. Its not.
Until you have proven you can even do it. Nothing else you say matters. So I’m done with this convo lil buddy.