I’m currently at my parents and using their BT connection. This is dual stack with a fixed IPv6 /64 and a dynamic IPv4 address.
I recently changed my VPS over to OVH which provides me with an IPv6 as well as an IPv4 address.
This has afforded me a way of limiting the ability to connect to SSH still further than simply using SSH keys.
Before doing this I do recommend making sure that you can use the KVM login at your VPS provider in order to prevent yourself from being completely locked out should things go awry…
Once you’ve done this it’s time to:
- Add a rule to UFW to allow SSH connections from my home /64
sudo ufw add limit from 2a00:23c5:4183:eb00::/64 to any port 22 proto tcp
- Delete the rules to allow SSH connections from all IPv6 and IPv4 addresses
Currently these are my UFW firewall rules:
$ sudo ufw status Status: active To Action From -- ------ ---- 53 ALLOW Anywhere 25/tcp ALLOW Anywhere 587/tcp ALLOW Anywhere 993/tcp ALLOW Anywhere 995/tcp ALLOW Anywhere 4190/tcp ALLOW Anywhere 80/tcp ALLOW Anywhere 443/tcp ALLOW Anywhere 465/tcp ALLOW Anywhere 53 (v6) ALLOW Anywhere (v6) 25/tcp (v6) ALLOW Anywhere (v6) 587/tcp (v6) ALLOW Anywhere (v6) 993/tcp (v6) ALLOW Anywhere (v6) 995/tcp (v6) ALLOW Anywhere (v6) 4190/tcp (v6) ALLOW Anywhere (v6) 80/tcp (v6) ALLOW Anywhere (v6) 443/tcp (v6) ALLOW Anywhere (v6) 465/tcp (v6) ALLOW Anywhere (v6) 22/tcp LIMIT 2a00:23c5:4183:eb00::/64
I did consider adding a rule for IPv4 but unlike Virgin Media cable IPv4 addresses which are sticky for months or years at a time, BT IPv4 addresses change at unspecified intervals, even when the router is not rebooted.