IP change + FTPS access = our IP getting blacklisted

JDW · April 4, 2014, 2:05am

My company has hosted it’s websites on ServerLogistics (PI HOST) for years, and mostly we’ve been satisfied with them. But over the past couple years, we’ve had a lot of pain and suffering because every single time our dynamic IP address changes, we no longer have FTPS access, and we must contact ServerLogistics to resolve the problem. Also, if we stop the FTPS connection quickly enough (before it makes multiple access attempts), we are still able to browse our websites and access via FTP without problem. But for whatever reason, if I use Freeway to upload via FTPS and try FTPS multiple times (or use Transmit to connect via FTPS multiple times and fail multiple times), we then will find that we can no longer access our websites, and even the FTP protocol won’t work.

To repeat, if our IP changes and if we try a single FTPS access, our FTPS access is blocked, but we can still access our websites and use the FTP protocol. But if we try a second FTPS access, then everything is blocked (no access to our websites and not FTP access). The only way to resolve the problem is to get our new IP whitelisted.

Having ServerLogistics whitelist our IP fixes the problem until the next time our IP changes, in cases where we access via FTPS. If we never access via FTPS (accessing only via FTP), we are never blocked. So what triggers this strange problem FTPS access. It’s totally bizarre to me.

Note that we are based in Japan and ServerLogistics is based in Southern California, if that matters.

I have repeatedly asked ServerLogistics to resolve this problem. But they have told me the following:

“So far is that as the system currently stands, there’s just no other way to do this that wouldn’t cause a major security flaw.”

I don’t understand why this cannot be fixed without causing a security flaw, hence my post here on FreewayTalk. Perhaps some of you who understand the ins and outs of web hosting, IP addresses, security filtering and the like can help me help ServerLogistics solve this silly problem once and for all.

And once again, please note that we are based in Japan, while our host is based in the US, if the difference in countries (IP addresses) makes a difference in this case.

I look forward to your thoughtful replies.

Thank you!

James Wages

offtopic mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

Ernie_Simpson · April 4, 2014, 2:50am

For clarity, you do NOT have a dedicated IP address for your website?

–

–
Ernie Simpson

offtopic mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

JDW · April 4, 2014, 2:58am

Our local IP address here in Japan is dynamically assigned. And like I said, whenever our local ISP dynamically changes our IP, and when we then subsequently try to access our webspace (on Serverlogistics in CA) via the FTPS protocol, the server at ServerLogistics automatically blacklists our newly assigned IP in Japan. And although that blocks only FTPS access at first, if we repeatedly try (and fail) with additional FTPS accesses, Serverlogistics server in CA will then block all accesses from our IP (i.e., access via FTP, FTPS, HTTP – everything).

offtopic mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

JDW · April 4, 2014, 3:04am

So when we are blacklisted and blocked, everyone else in the world (including folks in Japan) can still view our websites, but here at our office, we cannot see our websites when the server in CA completely blocks our Japan-ISP-assigned IP.

Our IP in Japan is being block by our host in CA.

The reason this is a headache is because our IP changes at the whim of our ISP, and everytime we power ON/OFF our office router. It’s a painful problem that I want to solve without further delay.

Any thoughts?

offtopic mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

Ernie_Simpson · April 4, 2014, 3:10am

I’m no expert, but it seems to me your problems would go away if you
purchased a hosting account with a dedicated IP address. Problem solved.

–

–
Ernie Simpson

offtopic mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

JDW · April 4, 2014, 3:16am

We are located in Japan, but we host our sites outside Japan (in the US). As such, our ISP in Japan has nothing to do with our web hosting. Our ISP in Japan merely offers us “internet access.” And it is that “internet access in Japan” that is being blocked by our host in the US, but only when our dynamically assigned IP address IN JAPAN changes AND when we then access via FTPS.

So what I want to know is:

Technically speaking, WHY is this happening?
And how do I advise ServerLogisitics to fix it?

Thanks.

offtopic mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

Ernie_Simpson · April 4, 2014, 3:19am

Blacklists often contain a range of IP’s - which your hosting provider uses
for their customers. If any ONE of those in the range does something to be
blacklisted, then whole range is blacklisted because the actual offender
can occupy any IP in the range.

What you want is a hosting provider with good server reputation, responds
well to security problems, and is very anti-spam. And a dedicated IP
account. That’s all I’m gonna say.

–

–
Ernie Simpson

offtopic mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

David_McCallum · April 4, 2014, 6:45am

Why cant your Broadband provider give you a static IP.

I recently added a new line/bb connection with BT and was offered a fixed IP at no additional cost.

Systems may vary but if BT can do it over a standard phone line?

David

offtopic mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

JDW · April 4, 2014, 6:54am

For an extra $100 per month, they are happy to give us a Static IP, but we don’t want to pay an extra $100 a month only to cure a problem that shouldn’t happen in the first place.

Again, I just want to know why this is happening on a technical level so I can perhaps figure out a workaround and instruct my webspace provider in the US to fix it accordingly. In other words, I am looking for a fix on the US side, not on the Japan side. Why? Because it’s the US side that’s doing the automated blacklisting!

Thanks.

offtopic mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

simonmanning · April 4, 2014, 9:38am

Hi James,

I’ll start with an explanation of what I think is happening. For private services such as FTP, SSH, perhaps a web admin panel, etc. there is a whitelist to specify who is allowed to access them.

This whitelist has to be based on IP addresses, there’s no other way it can identify you reliably (ish, there are issues with IP for locations shared by many people, but ignore that) over the Intertubes.

Now, you have your IP address whitelisted and it changes. At that point, as far as the server is concerned, you are no longer a person who is allowed to access those services. I think what the server is doing is a kind of two strikes system, try to access a private service once and it doesn’t mind, try again and it blacklists you from accessing the server at all.

With regards to the security flaw, the reason it can’t be done without causing a major security flaw is because the alternative is to remove that whitelist feature entirely.

What this does is opens up those private services to anyone. Most of the time they would need your credentials, of course, but it opens those services to people guessing at your credentials and also if there are any known vulnerabilities in those services, they will have no protection.

That’s the explanation out of the way, I hope I’ve made it understandable. There are two possible solutions that I can think of outside of sticking with the way it is, one of which is to get a static IP address which you’ve already talked about.

The other, you’ll need to check something with the host, ask if they can whitelist by domain names. If they can, you’ll be able to use dynamic DNS to solve this.

Basically you will have a subdomain for your office set up as a dynamic DNS record, say joffice.yourdomain.com, and a piece of software in your office (your router might even have it already, potentially) that will update that record whenever your IP address changes.

Have a look at the people who provide your domain name, they probably have details about setting up dynamic DNS records along with the software to keep it updated.

-Sim

offtopic mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

davedesigner · April 4, 2014, 10:28am

Business class broadband would offer a fixed IP address. It’s very little extra than consumer broadband at least here in the UK. Perhaps it’s time to shop around for a new ISP?

–

David Owen
Printline Advertising

On 4 Apr 2014, at 07:45, DeltaDave email@hidden wrote:

I recently added a new line/bb connection with BT and was offered a fixed IP at no additional cost.

offtopic mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

jmuscara · April 4, 2014, 12:55pm

Simon’s explanation makes sense, except for one thing.

I’ve never seen any other host do this. I’d guess that most people are on dynamic IPs, except for fixed corporate users or something. As a person who does web sites from home, using a cable modem which means a dynamic IP that changes every once in a while, I’d be very annoyed if every time my IP changed I couldn’t log into my sites.

Personally, I think ServerLogistics is being overzealous in trying to protect you/themselves in this way. I think that because I don’t know of any other host that does this.

As far as your question about FTPS vs other protocols, I can only guess. Maybe it’s like Simon states, that’s really the only one that has the whitelist, but once the blacklist is triggered, all attempts from your current IP are blocked.

I’d push a bit with ServerLogistics and ask them if you’re the only client on dynamic IP, or if they’re always whitelisting everyone when their IP changes. Or if there’s something you should be doing differently on your end, like using a different protocol.

offtopic mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

waltd · April 4, 2014, 1:18pm

Ask SL if they can authenticate you by your SSH Public Key. This is how all of my hosts are set up, and I don’t even have to provide a password when I log in. I don’t know if Freeway supports this flavor of SFTP, but Transmit does, and it makes it incredibly easy to log in and upload. Setting it up is a one-time geek thing, balanced by a lifetime of not having to worry about it any more.

Walter

offtopic mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

JDW · April 7, 2014, 1:22am

Gentlemen, thank you for your replies.

Weighing Walter’s SSH suggestion versus Simon’s Dynamic DNS solution, I thought SSH might be easier for me to setup, but my feeble brain has run up against some issues…

First, I created my SSH Public Key via the Terminal with the following command:

$ ssh-keygen -b 4096 -f .ssh/id_rsa4096_2014 -C JDW

(From what I have Googled, anything after the C is merely a “comment” that can be anything I want to type, with no need for quotes around it either.)

But here’s the issue. When it came time to type in a passphrase, I turned to 1PSW4 to generate a strong 30 character password, and I then copied that and pasted it into the Terminal. But the Terminal doesn’t show me if it accepted what I pasted or not (no visual indication whatsoever). And when I hit return after pasting it then asked me to confirm my password, upon which I pasted and hit return again. So either my password was accepted or a blank was submitted. But I haven’t the faintest idea how to test my passphrase to confirm.

What’s the fastest and easiest way to confirm a newly created SSH key’s passphrase?

Furthermore, what is the character limit for a passphrase? (Mine is 30 chars, which I assume is acceptable.)

Thanks,

James Wages

offtopic mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

waltd · April 7, 2014, 2:41am

On Apr 6, 2014, at 9:22 PM, JDW wrote:

Gentlemen, thank you for your replies.

Weighing Walter’s SSH suggestion versus Simon’s Dynamic DNS solution, I thought SSH might be easier for me to setup, but my feeble brain has run up against some issues…

First, I created my SSH Public Key via the Terminal with the following command:

$ ssh-keygen -b 4096 -f .ssh/id_rsa4096_2014 -C JDW

(From what I have Googled, anything after the C is merely a “comment” that can be anything I want to type, with no need for quotes around it either.)

But here’s the issue. When it came time to type in a passphrase, I turned to 1PSW4 to generate a strong 30 character password, and I then copied that and pasted it into the Terminal. But the Terminal doesn’t show me if it accepted what I pasted or not (no visual indication whatsoever).

That’s normal. It’s to keep people from “shoulder surfing” and finding out your password, since anything you type there is plain text.

And when I hit return after pasting it then asked me to confirm my password, upon which I pasted and hit return again. So either my password was accepted or a blank was submitted. But I haven’t the faintest idea how to test my passphrase to confirm.

What’s the fastest and easiest way to confirm a newly created SSH key’s passphrase?

This is the best tutorial I have found for making and using an SSH key: Connecting to GitHub with SSH - GitHub Docs

Furthermore, what is the character limit for a passphrase? (Mine is 30 chars, which I assume is acceptable.)

It can be any length, as far as I know.

Walter

Thanks,

James Wages

offtopic mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

offtopic mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

JDW · April 7, 2014, 8:34am

Thank you for the helpful link, Walter. I was able to confirm my PSW and test my SSH key via the Terminal and my Github account.

Since this is rather new to me, please forgive me but I have one more question now.

How do I get my newly created SSH key to work with Freeway when uploading or with an FTP client like Panic’s TRANSMIT? (This is an important question, because I connect to my server at ServerLogistics by Freeway or Transmit.)

Thanks.

offtopic mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

simonmanning · April 7, 2014, 10:49am

On 4 Apr 2014, 12:55 pm, Joe Muscara wrote:

Simon’s explanation makes sense, except for one thing.

I’ve never seen any other host do this. I’d guess that most people are on dynamic IPs, except for fixed corporate users or something. As a person who does web sites from home, using a cable modem which means a dynamic IP that changes every once in a while, I’d be very annoyed if every time my IP changed I couldn’t log into my sites.

It would probably be even worse for people on ADSL, quite a lot of ADSL providers (in the UK) change a person’s IP addresses as often as every 24 hours. Our former Glorious Leader had this problem at home so I was forever updating his IP address when a new version of the website was being worked on.

With regards to hosts using this technique, I have only seen one host doing this, who provide a server for us. I have encountered people in support with a similar setup, I don’t think those were as extreme as blacklisting attempts on private services though.

We have a static IP at Softpress Towers so if I need access to the server from outside the office, I tunnel via one of the machines here in the office. Of course I don’t want to transfer large amounts of data via the office so I’ll tunnel in and add myself to the whitelist for that.

(Note to James: This isn’t going to be a workable solution for you, just replying to Joe.)

-Sim

offtopic mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

JDW · April 7, 2014, 10:56am

Understood, Simon. But what are your thoughts on how to get my newly created SSH key to work with Freeway when uploading or with an FTP client like Panic’s TRANSMIT?

offtopic mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

simonmanning · April 7, 2014, 11:08am

As far as I’m aware, it’s not currently possible. I don’t believe Freeway’s upload has any knowledge of key based authentication.

-Sim

offtopic mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

waltd · April 7, 2014, 12:30pm

In Transmit, if you have added the key to your standard ~/.ssh/ssh-hosts file as directed in the GitHub tutorial, then you don’t need to do anything. (Alternatively, you can log into the server once via ssh in the Terminal, which will add the requisite line to that file for you.) Once that’s done, all you need to do is enter the username and no password. Part of the SSH handshake is to see if there is a host key for the server you’re trying to connect with, and if there is, it is used automatically. I have not tried this in Freeway, but it definitely works for me in Transmit.

Walter

On Apr 7, 2014, at 4:34 AM, JDW wrote:

Thank you for the helpful link, Walter. I was able to confirm my PSW and test my SSH key via the Terminal and my Github account.

Since this is rather new to me, please forgive me but I have one more question now.

How do I get my newly created SSH key to work with Freeway when uploading or with an FTP client like Panic’s TRANSMIT? (This is an important question, because I connect to my server at ServerLogistics by Freeway or Transmit.)

Thanks.

offtopic mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

offtopic mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options