VPN vs IP Restriction to connect to Server

[PNWDweller]

Long story short - I wanted to secure my WHM server deeper. So, I looked around online and have implemented two different things, but then got to thinking it might be overkilll?

For cPanel/WHM hosts, you have a port (2087) which you log into to get to your WHM (Master control panel) interface. I went and used WHM to restrict access to my IP to access my control panel and block others out. This works pretty well and I have tested it against several external IP's (Work and VPN through another VPN provider). Anything other than my IP gets an error page.

The other method I was looking at was using a PPTP VPN Connection to my server so I could authenticate as a local user on the machine and access the WHM page once I authenticated.

For the first method - I know this is pretty secure since if I don't connect with my IP, I'm pretty much good to go and BTW have seen a Major drop of hack attempts to zero now trying to get into that system.

For the second method, I like this particularly because my IP isn't static so at any time my ISP can rotate it and therefore I am locked out (But I can edit the hosts.allow file on the server via SSH which I have BTW changed to a different port number).

Does anyone have any opinions on either option?

[sc302 Veteran]

The second is better, reason being is that it doesn't expose your server directly to the internet regardless of what rules you put in place to allow access.

To secure the second, you could do the same and only allow your IP to be able to connect to the vpn and if you use a service like dyndns you would never have to worry about your ip changing again. just need to find a dynamic dns service that is in your cost range (whether it be free or 20 a year that is up to you to decide) then run the dynamic client on your computer to update that host record on their side so it changes withing minutes of your ip changing. No big deal, and there are several free ones. I believe dyndns is still free for one account per email address you setup with them, so you have to setup 2.

[PNWDweller]

Good point on the dynamic DNS :) I didn't consider that. We are moving and will be in our new residence in about 1.5 weeks and then my IP will change for sure.

In regards to exposing my server directly to the internet, that is sort of the point as I am hosting web sites, so can't hide it. But, I know I could close port 2087, to the outside world.