ssh login - host restriction
Hey all...
I've done some searching on the restriction of SSH and come up with a few threads. The problem is they all only work with static and known IP addresses. Scenario: At work I have linux servers for which I am responsible. If for some reason a service were to go down at 2 am...i'm likely to get a call saying that this must be rectified. I'm thinking...no way i want to leave my house in such a case but anyhue... I've opened up the ssh port in the firewall, updated OpenSSH, restricted root access etc. but I'm interested, for security sake, in restricting the points from which access is available. That is, i want ssh logins to be accepted from my PC...and no other. However, my IP isn't static. Can i get it to allow based on my host name, my mac address, or any other method. Currently the /etc/hosts.allow and .deny files restrict any non internal access... great...i want to open to one machine. Can i? Thoughts, suggestions, ideas, docs, links....? Any help would be appreciated merci |
you can get it to allow an ip range - from the subnet your ISP generally assigns a dhcp address to you.
I am not sure if you would be able to control access based on MAC address.... better try out. Or you can use AllowUsers parameter in your sshd_config file(s). OR opt for passwordless authentication using Public Key. |
thanx for response...
Re MAC Address....don't know where to begin the subnet idea occured to me....but the range is wide considering that my ISP sometimes gives me a 200.*.*.* IP or a 6*.*.*.* IP.... AllowUsers parameter is already in effect. with regards to the public key....will this work despite the IP of the host? |
Quote:
-m mac --mac-source xx.xx.xx.xx.xx.xx parameter |
I'm liking the MAC address idea more and more....can't believe that didn't at all cross my mind
Insteresting case though...I have a PPPoE connection, my ppp0 device has no MAC address...can i still make this work for me? Also to clarify the iptables rul would let me in ...but i would have to slacken the rules in the /etc/hosts.allow and .deny files...? thanx |
K....i got a MAC address for my machine by ethereal-ing from a remote PC
will try....and get back |
Ok....i think that's my MAC address...
I put in the rule to allow access on the internet interface and was happy when i got signs of connection from the test external machine. That was short-lived cause tests from another external machine revealed the same restults...:( in the words of a local musician "Where do we go from here...where do we go...we need to knoo-o-ow" |
ok....ammmm...re the /etc/hosts.allow and hosts.deny idea:
can I get it to hosts.allow a domain name instead of and IP? |
Since you are trying to connect from home to work, MAC address filtering is not the proper solution. Layer 2 MAC addresses are rewritten by each router along the path to the final Layer 3 (IP) destination. Your companies firewall will always see the MAC address of your upstream ISP router, not the MAC address of your home PC/firewall. FWIW: MAC address filtering is typically used on the same subnet.
As others have pointed out, the best solution to your problem (although not perfect) is to try and find the IP address ranges your ISP assigns through DHCP and add the appropiate rules to your compaines firewall. Or... you can do what I did and change your home ISP account from residential to business class. i.e. static IP. Yes, a business class service will cost more, but maybe you can convince your company to pick up the additional costs in the name of security. Good luck! |
Quote:
Quote:
|
Thanx for ur replies.
Considering the static IP, but sure as heaven the company won't pay for it. Anyhue...i tried the /etc/hosts.allow with my domain name...this time and b4 i asked the question. This time however i thought to check the secure logs and see if anything was being noted. This is what i noticed in the log: ...sshd[12481]: warning: /etc/hosts.allow, line 10: can't verify hostname: getaddrinfo(<domain name>, AF_INET) failed also: ...sshd[12592]: refused connect from <MY IP> Any words/thougts? Where is this getaddrinfo function supposed to be anyway? |
Quote:
Quote:
|
no...there aren't any config issues blocking me....cause when i allow access from all hosts, i can get through
And the first uncommented line in my /etc/hosts.deny is actually line 9...hahahahaha i figure ur talking about the ALL:ALL ....this affects the acceptance of non-reverse lookup-able IP's? how so? |
All times are GMT -5. The time now is 07:34 AM. |