Automating Dynamic IP Updates in DigitalOcean Firewall for Enhanced Server Security
Securing servers is a top priority for developers, but managing dynamic IP addresses can complicate the process. Imagine the challenge of securing a DigitalOcean server while dealing with a constantly changing home IP address. In this article, we will discover how to simplify this task by using the DigitalOcean API and automation. We will learn how to write a script that fetches your current dynamic IP address and updates the DigitalOcean firewall accordingly, ensuring robust security with ease. Let's explore how to automate dynamic IP updates in the DigitalOcean firewall for enhanced server protection.
First: Obtain the API Key and Retrieve Firewall Details
To get started, you'll need an API key to authenticate your requests to the DigitalOcean API. Here's how you can obtain the API key and retrieve the details of your firewall:
- Log in to your DigitalOcean account.
- Click "API" from the sidebar.
- Select "My Account" from the dropdown menu.
- Click on the "Generate New Token" button and enter a name for your token.
- Click on the "Generate Token" button and securely store the generated API key.
Once you have your API key, you can verify it by making a cURL request:
curl -X GET -H "Authorization: Bearer YOUR_API_TOKEN" "https://api.digitalocean.com/v2/firewalls"
Result (Simplified):
{
"firewalls":[
{
"id":"abcd-efgh-1234-5678-12345678",
"name":"ProjectZ",
"status":"succeeded",
"inbound_rules":[
{
"protocol":"tcp",
"ports":"22",
"sources":{
"addresses":["1.2.3.4"]
}
},
{
"protocol":"tcp",
"ports":"22",
"sources":{
"addresses":["5.6.7.8"]
}
},
{
"protocol":"tcp",
"ports":"443",
"sources":{
"addresses":["0.0.0.0/0","::/0"]}
}
],
"outbound_rules":[
{
"protocol":"tcp",
"ports":"0",
"destinations":{
"addresses":["0.0.0.0/0","::/0"]
}
},
],
"created_at":"2023-06-01T00:00:00Z",
"droplet_ids":[12345678],
"tags":[],
"pending_changes":[]
}
],
"links":{},
"meta":{"total":1}
}
Next: Using Script To Update Firewall
-
Clone the script repository from GitHub:
git clone https://github.com/cheehau/update-firewall-digitalocean
-
Navigate to the cloned repository:
cd update-firewall-digitalocean
-
Open the
update_firewall_digitalocean.sh
script file in a text editor of your choice. -
Set your DigitalOcean API token:
- Replace YOUR_API_TOKEN with your actual DigitalOcean API token. Make sure to keep the quotation marks.
-
Modify the preserved IP addresses:
- Locate the section where preserved IP addresses are defined. It should look like this:
# Preserved IP addresses for port 22 preserved_ips=("ip1" "ip2/24" "ip3/16")
- Replace "ip1", "ip2/24", "ip3/16", etc. with the actual IP addresses you want to preserve for port 22. Enclose each IP address in quotation marks and separate them with spaces.
-
Save the changes to the script file.
-
Make the script executable:
chmod +x update_firewall_digitalocean.sh
-
Run the script:
./update_firewall_digitalocean.sh
-
Follow the on-screen instructions provided by the script.
- Select the firewall you want to update from the list of available firewalls.
- The script will retrieve your current dynamic IP and update the firewall rules accordingly, preserving the specified IP addresses for port 22 and removing any unknown IP addresses.
- After updating the firewall, the script will display a success or failure message.
-
Verify the Updated IPs on DigitalOcean after the first execution.
Note:
This script is specifically designed for web developers who are using Laravel Forge and DigitalOcean. It is tailored to update the inbound firewall rules only and allows HTTP and HTTPS traffic for all sources. The script will add your current IP, a list of preserved IP addresses, and the Laravel Forge IP addresses for port 22 to the firewall rules.
Summary
By following these steps, you can use the script to automate the process of updating your firewall rules, ensuring that only specific IP addresses, including your current dynamic IP, have access to your server. This helps enhance the security of your server by allowing only trusted sources to connect while removing any unknown or unwanted IP addresses.