How to stop my public IP Address from changing

[nector]

What is happening here is that whenever I move from one location to another my public IP address changes which is cumbersome, now Imagin we have salesmen moving to different locations in a day. This means that they cannot login or connect to PHP cPanel MYSQL database, is there a way to sort out this problem, I know last time I asked for the same question, but I was not very clear.

If I do not insert the new public Ip address into HP cPanel MYSQL database, then there will be no connection:

 

[arnelgp]

server must have static ip address and placed on fixed location.

 

[The_Doc_Man]

Your IP address in theory has nothing to do with whether you can or can't log in. If you are using a computer's IP address - particularly its IPv4 address, which is what you showed us - then your security setup is all wrong. You would want to identify a particular computer by its MAC address, not its IP address. If that IP address is part of an assigned range for DHCP, it wouldn't be constant anyway.

I know that some banks and business sites will track some aspect of the computer's network information. When my old computer died last month, I had to go through re-validating my connection via a texted one-time security code. But if you are telling me that your folks in the field are getting different IP addresses depending on where they connect, you are clearly using something dynamic. That ain't going to work. You need to strongly reconsider how your folks in the field identify themselves when connecting or logging in.

 

[Minty]

If you are moving around different sites even if they have a fixed Public facing IP address, it will be different per site, there is no getting away from that, unless they have configured a pretty fancy VPN, that everyone connects through that presents a single outgoing IP address.

We manage this on Azure SQL using an automated secure login and HTTPS site that configures the IP address (via scripting behind the scenes) you are connected to, but Azure allows you to store multiple IP addresses in it's whitelist, it doesn't look like MySQL does this.

So I would have Minty_Home, Minty_Mobile, and General_Office IP Addresses stored against my user login.
The general office one doesn't change, it's fixed, the other might.

 

[sonic8]

This means that they cannot login or connect to PHP cPanel MYSQL database,

Where does the requirement of the specific IP address originate? If it is the standard MySQL login system, you can enter * into the host name column to allow logins from any IP address.

Your IP address in theory has nothing to do with whether you can or can't log in. If you are using a computer's IP address - particularly its IPv4 address, which is what you showed us - then your security setup is all wrong. You would want to identify a particular computer by its MAC address, not its IP address.

With MySQL security the IP address can be used as an additional attribute to determine whether an user is allowed to log in or not.
The MAC address can also be spoofed and is not more secure than an IP address. Also, the MAC address is not routed outside the local network and thus useless for evaluation on a remote resource.

unless they have configured a pretty fancy VPN, that everyone connects through that presents a single outgoing IP address.

If the added security of IP address verification is desired, this is what I also would have recommended. The required behavior is not "fancy" at all but bog standard for a VPN that allows traffic to external destinations to be routed through the VPN.

 

[Jason Lee Hayes]

Google DDNS...

 

[sonic8]

Google DDNS...

That's not the answer to the problem stated here.

 

[The_Doc_Man]

In this day and age I could see using a statically assigned IPv6 address for added validation, but IPv4 addresses are a limited mapping space and you would have to lock down static IP addresses for each remote machine or laptop in order to use it for address-based validation. There already weren't enough free addresses around when I retired in 2016. We had already reach 4 billion devices world-wide, which pretty much whacked the address space for IPv4.

I would also think that the IPv4 routing tables for getting between one laptop and its home base would be a bit torturous. @Sonic, you are correct that I can build a boundary firewall that includes a list of allowed connections from a specific list of IP addresses. And if you have that, then bless you. But what about aliasing issues in which someone's IPv6 is "downshifted" to an IPv4 within a domain? What about network address translation issues? Can you even trust that IPv4 address these days? Some other unique machine identifier, such as the CPU serial number or the system disk serial number would be a far better validation value.

 

[nector]

Where does the requirement of the specific IP address originate? If it is the standard MySQL login system, you can enter * into the host name column to allow logins from any IP address.

@

sonic8​

AWF VIP​

You seem to know exactly my problem when you say I * in the remote host column do you mean entering like below:

102.212.181.86*

 

[Minty]

I don't know how the MySQL command structure works, but in Azure you can specify a range:

102.212.181.1 - 102.212.181.255

It would probably be worth googling to see if you can do similar.

 

[Jason Lee Hayes]

That's not the answer to the problem stated here.

To be fair im in a mood and cannot be arsed to explain how to acheive what is required lol..

The issue is not specifically MS access related therefore an understanding of networks is necessary to be able to resolve the issue to which a professional service should be considered.

Too ofter in my industry i see authorised but not qualified persons trying to apply a fix with disasterous results costing more time and money in the long run.

£500 per day or £84 per hour may sound expensive but for a network integration specialist with 35 years experience its peanuts...

 

[sonic8]

You seem to know exactly my problem when you say I * in the remote host column do you mean entering like below:

102.212.181.86*

Sorry, my memory slightly failed me. You must use the percent character not the star character.

You would use % very similarly to a normal query with wildcard criteria.
E.g., enter 102.212.181.% to allow users from hosts with IP 102.212.181.1 to 102.212.181.255 to connect.
To allow just all IP addresses to connect just enter % and nothing else.

 

[sonic8]

To be fair im in a mood and cannot be arsed to explain how to acheive what is required lol..

To be fair too, you could probably enter the client's host name instead of the IP address for access control. Then purchase DynDNS names for all your users, install a DDNS client on each client computer to update their host name when the IP changed. This might potentially also work, but it is quite convoluted and I'm not convinced at all that this would work with a reverse DNS lookup using the IP address.

 

[sonic8]

Can you even trust that IPv4 address these days? Some other unique machine identifier, such as the CPU serial number or the system disk serial number would be a far better validation value.

@The_Doc_Man, I did not intend to suggest using an IP address for identification/authentication of users is a good idea.
Restricting access to a system on the internet by IP address has its merits. But only to exclude illegitimate requests by their origin (IP address) already, before your system even starts more resource intensive operations for user authentication, like establishing an encrypted connection for user/password verification.

Using hardware serial numbers for verification in a distributed scenario is vain. This depends on software on the potential attacker's computer for verification. This obviously cannot be trusted. If I were an attacker and knew that authentication depends on my disk serial, I would simply install a manipulated disk driver that allows me to enter an arbitrary serial# instead of reading the actual one from my hard disk.

 

[nector]

To be fair too, you could probably enter the client's host name instead of the IP address for access control. Then purchase DynDNS names for all your users, install a DDNS client on each client computer to update their host name when the IP changed. This might potentially also work, but it is quite convoluted and I'm not convinced at all that this would work with a reverse DNS lookup using the IP address.

Many thanks for the clear help

 

[The_Doc_Man]

@sonic8, we agree that the problem with spoofing is that it is darned near impossible to prevent once the door is open and it is hard as all heck to detect after-the-fact without a sophisticated network appliance such as what used to be called a "Sniffer" or its modern counterparts.

This difficulty is why the U.S. Navy (and the other branches of service) used SmartCard technology with 256-bit keys (at the time, the largest that Smart Cards could handle) to control remote access. I ran my Navy-issued laptop in New Orleans, San Diego, Fort Worth, and from my home outside of New Orleans - in each case validating my identity because I had a smart card and knew the PIN that went with it. In each case, connecting to a totally different network. The IP address didn't matter. It was the authentication data I could provide.

But back to @nector's problem... Nector, I don't know how to advise you other than that using IP addresses as anything but a filtering device will probably in the long run be more trouble than it is worth. I know for a fact that Win11 has built-in support for the use of Smart Cards, and that the support is in the form of three "services" for Smart Card processing. I disabled those services on my system because I don't need them. (No smart card devices...)

You might not have the business clout that is needed to convince people to use that ability, but using individual IP addresses will be business-limiting if you add enough people who go out into the field to do their work. That is a type of advice I hate to give, but I doubt we have a solid answer for your problem as originally stated. You DID get some advice on SQL Server configuration issues that might help a little, but long-term it is the wrong way to go to use IP addresses as proof of identity.

 

[CJ_London]

you could possibly use terminal server or citrix - both come at a cost.