My problem is finding a way to SSH into a Linux server (Ubuntu 18.04) whose IP address changes daily.
I have a client who I occasionally help with admin tasks. I need to ssh into the machine when they need help, but they don't have a static IP, so the public IP of the server is constantly changing. I created a small script to report the IP address of the Linux machine, and find that it changes once per day around noon.
I'm able to setup SSH, and it works both locally and remotely… until the IP address changes. Once that happens, I'm no longer able to connect remotely even using the new IP address.
- Do I need to restart the SSH service every time the IP address changes?
- If so, why?
- Is there any other action I need to take when the IP address changes in order to allow SSH access?
UPDATE
To be clear, my problem is NOT finding the new IP address. I have a script to do that already. The problem is the server stops responding once the IP changes, even though I try to connect using the new IP address.
If I restart the SSH service on the target machine, I have remote access again. But I don't understand why I should have to do this. I would like to know the root cause in hopes of finding a better solution.
Most people seem to think SSH should work as long as we know the new IP, so is this something unique to 18.04? I installed this server for the client recently, so all config settings are still default. (The wouldn't know how to change it.)
Best Answer
The other answers seem to have overlooked one thing in your question:
DDNS will help you find out the new IP address, but that doesn't seem to be the problem here.
Unfortunately, the server getting a new IP should not be a problem in the standard setup where the ISP provides a router, the server has an internal address behind the router, and the router does the port forwarding. You might need to provide more information about the network topology to get a good answer.
What I could imagine is the server not being behind a router and doing its own PPPoE connection, and a) the ssh server binding to the specific interface address at the point of server restart, b) a firewall on the machine that permits incoming ssh to just the server's IP with the firewall not updating when the IP changes.
To check the first case, do a
netstat -nta | grep -w 22 | grep LISTEN. If it says 0.0.0.0:22, that's ok; if it lists a specific IP, then check the sshd config file (/etc/sshd.conf) forListenAddress.To check the second case, do
iptables -L -nand check if one of the rules in theINCOMINGchain matches your server's IP and port 22.If one of these has the current server address, you'll need to either change it to 0.0.0.0 (make sure you know about the security implications), or update the rule/configuration whenever the IP changes.
Edit
As the server is behind a router, the above ideas probably don't apply(*). In this setup, the router has an external IP (which changes daily), and your internal devices should have some 10.x.y.z or 192.168.x.y addresses which shouldn't change. You connect to the external address, and the router should a port-forwarding rule to the internal address.
This port forwarding shouldn't break when the external IP changes (existing ssh connections will be dropped however), but maybe it's a rule that wasn't setup by you, but by some UPNP magic, with the router dropping UPNP forwards when it gets a new address, and sshd only invoking the rule when it restarts. Did you set up a port forwarder within the router yourself.
Or, it's the internal IP of the server that changes - in that case, something is severely broken with your DHCP. Give your server a fixed internal address.
Or, are you using IPV6? There are some configurations where a device keeps changing its IP to make it less easy to track. See, for example, https://www.internetsociety.org/blog/2014/12/ipv6-privacy-addresses-provide-protection-against-surveillance-and-tracking/ - but in that case, shame on you for not mentioning it in your original post. This might mean your router not doing NAT at all, and my original ideas still being valid even behind a router.