IPV4 address: worth keeping?

NoEcho

NoEcho

2[H]4U
Joined
Aug 14, 2001
Messages
3,250
I have an old account with a fixed IP address. I've upgraded to FIOS but still have the old account active. I'm wondering if it might be so valuable that it would be worth paying the 45-some bucks a month to retain. What do network geeks with RL experience think?
 
I've managed to hang on to 192.168.1.1 for over a decade, so I say, go for it!
 
Unless you're doing something with it that requires a static IP address (being an authoritative DNS server), then you're wasting your money.
 
You can rent an entire dedicated server with 100mbps/100mbps internet connection and 5 ip's for less than that.

Ditch it
 
lol $45 a month for a static IP address? Who's the assholes ripping you off?
 
Yeah I'd drop it unless you're running something that requires a static IP.

I wish my ISP would provide static IPs though... their DHCP lease time is set to 20 minutes which is ridiculous. Whenever my IP changes I have to go on my internet server and change all the firewall rules for SMTP and such which is a pain. I suppose I can find a way to automate that though.
 
Red Squirrel said:
Yeah I'd drop it unless you're running something that requires a static IP.

I wish my ISP would provide static IPs though... their DHCP lease time is set to 20 minutes which is ridiculous. Whenever my IP changes I have to go on my internet server and change all the firewall rules for SMTP and such which is a pain. I suppose I can find a way to automate that though.
Click to expand...

Dynamic DNS services, link with some scripts, profit.
 
Grentz said:
Dynamic DNS services, link with some scripts, profit.
Click to expand...

Most things like firewall rules and allow lists and such require to input an IP not a hostname, so I still have to code something that will go in and change the IP in all those places. If I'm going to do that I may as well update the DNS too, as I already do have a DNS hostname for my home it just has to be updated by hand.

What I need to do is setup some kind of script I can run from home that connects to the server with some kind of authentication then it would prompt a script to go and change the IP in the correct locations and restart the proper services. Just never got around to it.

A static IP would be much easier. :D
 
Red Squirrel said:
Yeah I'd drop it unless you're running something that requires a static IP.

I wish my ISP would provide static IPs though... their DHCP lease time is set to 20 minutes which is ridiculous. Whenever my IP changes I have to go on my internet server and change all the firewall rules for SMTP and such which is a pain. I suppose I can find a way to automate that though.
Click to expand...

If your IP actually changes every 20 minutes and you are using ACLs... you're not doing it right. Pay for a static. Unlike our OP here, you need a static. (or you need to not host at home on a residential connection)
 
mwarps said:
If your IP actually changes every 20 minutes and you are using ACLs... you're not doing it right. Pay for a static. Unlike our OP here, you need a static. (or you need to not host at home on a residential connection)
Click to expand...

I don't have the option of getting a static. (asked). They just don't offer it. My IP will only change if the DHCP request can't make it through such as if I'm doing a really heavy transfer.

So I just make sure I don't sustain a transfer for more than 20 minutes. I have 50/30 so it's not that typical for a transfer to go longer than 20 minutes that saturates the whole connection.

But yeah, would be nice if my ISP provided statics. Not hosting anything at home (they don't allow it, otherwise I would) but I still need to allow my house to connect to my online server so I have to change the IP in the online server's firewall and other places when it changes.
 
WTF did I just read? Squirrel strikes again. :)

Dude, just VPN into your server if you want to access services not meant for the public. Manually updating firewall rules, I'm cracking up.
 
Last edited:
TCM2 said:
WTF did I just read? Squirrel strikes again. :)

Dude, just VPN into your server if you want to access services not meant for the public. Manually updating firewall rules, I'm cracking up.
Click to expand...

I'm not going to setup a whole VPN server and VPN every time I want to send an email LOL. And I'd still have to edit the firewall rule to let my IP through the VPN anyway, so it would really not accomplish anything.

Either way when my IP changes I need to edit the DNS record manually anyway (having a static hostname for home makes it easier as I just give that to my friends for games), so while I'm logged in I just edit the smtp relay list, and a few web related things like phpmyadmin. Not a big deal. There is no need for a VPN.
 
Red Squirrel said:
I'm not going to setup a whole VPN server and VPN every time I want to send an email LOL. And I'd still have to edit the firewall rule to let my IP through the VPN anyway, so it would really not accomplish anything.
Click to expand...

You're not supposed to set it up every time you send an e-mail. You're supposed to set it up once and then have it permanently connected. Duh.

If you have to edit the firewall rules to allow the VPN, how the hell do you currently remote into the server to change the rules? And why is that not filtered as well? If you leave this open, you can leave OpenVPN open as well. Rate-limit it if you want.

You're not making very much sense here at all.

PS: Address-based ACLs are not security.

Edit:
Either way when my IP changes I need to edit the DNS record manually anyway
Click to expand...

Please, take some Admin 101 course or whatever. Every time you post, it's another overly convoluted, misunderstood setup of yours that leaves people shaking their heads.
 
I use SSH to login but that has brute force protection. If I did have a static I'd limit that to my IP as well but obviously can't do that or I'd get locked out when my IP changes. Anything else is not allowed to anything but my IP, which I have to actually tell the respectful programs what it is. It's not that complicated, it's just very basic security. I don't need any courses, I think its you that does not understand and trying to make a big deal out of something that is not.
 
I understand one thing: doing things manually means you're stuck in some dead-end, not knowing about best practices and how to run servers in general.

If you change DNS records manually, that must mean it's a public-facing DNS server. Ever heard of signed DNS updates? It's trivial to automatically and securely update the record whenever your IP address changes.

It then would also be trivial to run a cron job on your server updating your firewall rules using that hostname if you insist on false security by IP address ACLs.

And that's just for starters that really want to ignore that a VPN is the proper way to build a secure connection to one's own external services. Don't tell me you're also running SMTP in plaintext in addition to running it publicly with a measly IP address ACL in front.

What you're doing is some kind of cargo-cult simplicity, where you strip things down so much that they become an encumbrance in themselves, while relying on false security (address ACLs) on top of it. It's a prime example of how not to run servers.
 
mwarps said:
If your public email server, BTW, is on a dynamic IP address, you're getting blocked by nearly anyone using any sort of RBL.
Click to expand...

His public server is on a static address. He wants to connect to it from his home network and has on his public server an ACL that only allows connections from his home address.

Yes, I wish this was all an elaborate prank.
 
Most dynamic DNS services suck now days, keep nagging to login to refresh account etc..., I used to use it, and gave it up. In fact the one I was using started charging. I just never bothered trying to find another one, it takes 2 minutes to SSH in and update the record and restart named. Like I previously said, I could automate it, I just never bothered. It's not like my IP changes every day. With my previous ISP it changed maybe every few years. I found out with my new ISP it changes more often but that was just recently so I never got around to writing scripts to automate it. And like I said, most programs like apache .htaccess files, postfix relay file etc take an IP not a hostname, so dynamic DNS wont work here anyway.

And I don't think you guys understand. The SERVER has a static IP and is remote, but my HOME does not. So on the SERVER I need to change the HOME IP inside config files for a few things such as outgoing mail, a few admin logon pages for stuff like phpmyadmin. and a few other things. Sure those things have a logon page and I could leave it wide open, but that's just asking to get hacked unless I want to write fail2ban scripts for every single one of those services. Much easier to just limit the IP.

Not sure why you guys are making such a huge outrage over something so basic. Besides you guys are just hijacking this thread. I just merely mentioned "I wish my ISP would provide statics" and then you guys turned it into an outrage.
 
LOL, you have SMTP, phpmyadmin and "a few other things" running publicly with only an address filter protecting them? /facepalm

Also, noone was talking about shitty DynDNS-like providers. You're apparently already running your own DNS server, why the hell would you need a third party? Google "BIND TSIG dynamic update".

Edit:
Much easier to just limit the IP.
Click to expand...
Yes, it's "easier" if you call manually changing DNS records easy. It's also false security.

This setup desparately cries for a VPN and you're just leaving it crying and mocking it. Poor little setup.

Edit2:
I just merely mentioned "I wish my ISP would provide statics" and then you guys turned it into an outrage.
Click to expand...
Yes, you "merely" mentioned it, dropping a bomb in the process that cannot go unanswered.
 
Last edited:
TCM2 said:
LOL, you have SMTP, phpmyadmin and "a few other things" running publicly with only an address filter protecting them? /facepalm

Also, noone was talking about shitty DynDNS-like providers. You're apparently already running your own DNS server, why the hell would you need a third party? Google "BIND TSIG dynamic update".

YOU stop with the nonsense first, then WE stop. :)
Click to expand...

And how else am I suppose to access those things? No I'm not setting up a VPN just for something that trivial.

Most if all shared hosts will have that stuff open to the public. I just choose to block it and allow only my IP because I can. It's not a big deal, stop making such a huge deal out of it.

And like I mentioned, probably multiple times, I do plan to setup a way for my IP to update automatically, but I just did not get around to it, it's VERY low on my list of priorities. So for now I just input it manually into the various config files that need it. Not really a huge deal. Stop making such a huge outrage out of something so minuscule.

I'm done here. I feel like I'm arguing with a child.
 
IP whitelisting is a valid part of defense in depth and common for databases among other things. IP spoofing a whole TCP session is a non-trivial hack and has certain preconditions.

If your concerned about phpmyadmin security to the open web then have the web server to only listen to loopback and tunnel the connection with SSH or VPN. It is dead simple and highly secure. It also means you no longer need to IP whitelist since it wont' accept external connections.
 
You must log in or register to reply here.
Back
Top