Automatic Whitelist Updating

[thoth]

I want to keep a list of whitelisted IPs for a service that is on 443.

I am a regular user of fail2ban and encourage everyone to use it and it's alternatives.

However, there are times when I want to personally monitor a service and vet all failures.

At times I'd like to reduce the amount of logs by restricting the IPs that can possibly generate logs.

Problem 1 - due to the nature of dynamic IPs sometimes the IP changes for one of my limited list of users, I want to provide them a way to update their IP without giving them access in OPNsense.

bad solutions:
1. SSO - best solution if possible, but I have some users whose clients are not capable
1. basic auth - this also breaks many of the clients of my users
1. use port knocking - I know bad idea, hence this post, but I could see providing some script (python etc) that a client could run that would merely update their IP

other ideas?

[thoth]

one idea I can recommend is following the tutorial here https://forum.opnsense.org/index.php?topic=23339.0

and then using passwords for the subdomains in the map file, for a poor mans multi factor authentication,
i.e.
1. user
1. pass
1. subdomain

as this is all behind https and SNI is still sent in plain-text it is not really difficult to know the subdomain, but you can easily swap that out on an interval if need be.  So it is more or less a plain text password sent over the internet. However, this greatly reduces the logs that need to be audited by my human eyes.  Again I'd greatly prefer an automated whitelisting method with just about any other method.