When you have a server reachable from internet, it is a very good idea to control who has access to it and how. For years I am using the very good tool called iptables in a very restricted way. But it happened to me a story that I am going to share with you that made change my mind…

Here is how I designed the secure SSH access to my server from the two places I have a physical access.

So I configured iptables on my server the most restrictive way I know from network perspective: only the two public IPs of my two ḧomes can access to SSH service. And it works fine. But by design, there is an issue about this choice I made. Indeed, my ISPs ¹⁾ provide me dynamic IPs. It may change without notice but for the last 3 years it did not. I accepted the risk because of two thins:

1. Since IPs don't change very often and I have two different ISP, the probability that both of them change at the same time is very low. So if one IP changes and I lose access to my server I can go the second home and update the configuration accordingly.
2. Worst case scenario, I can use the emergency console access from my server provider and update the configuration of iptables.

One day, one of my ISP put down my internet access for a few days. They had to fix something to improve bandwidth. No problem, I still have access to my server using my second ISP. But the following morning, bad news: all my backup reports came back to me with errors ²⁾. Long story short, my second ISP decided to change my IP during the night ³⁾. I decided that I was going to use my last option: emergency console access to my server from the provider. But bad surprise again, my provider did not provide such a service.

As a result, I lost access to my server for days. In the meantime, I was looking for a more robust design. That's how fail2ban came back to my mind and even better I remembered that one person from the CHATONS was working on the perfect tool for me: reaction.