LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   ssh login - host restriction (https://www.linuxquestions.org/questions/linux-networking-3/ssh-login-host-restriction-230500/)

DoubleOTeC 09-14-2004 10:47 AM

ssh login - host restriction
 
Hey all...

I've done some searching on the restriction of SSH and come up with a few threads. The problem is they all only work with static and known IP addresses.

Scenario: At work I have linux servers for which I am responsible. If for some reason a service were to go down at 2 am...i'm likely to get a call saying that this must be rectified.

I'm thinking...no way i want to leave my house in such a case but anyhue...

I've opened up the ssh port in the firewall, updated OpenSSH, restricted root access etc. but I'm interested, for security sake, in restricting the points from which access is available. That is, i want ssh logins to be accepted from my PC...and no other. However, my IP isn't static.

Can i get it to allow based on my host name, my mac address, or any other method.

Currently the /etc/hosts.allow and .deny files restrict any non internal access... great...i want to open to one machine.

Can i?
Thoughts, suggestions, ideas, docs, links....?

Any help would be appreciated

merci

ppuru 09-14-2004 11:19 AM

you can get it to allow an ip range - from the subnet your ISP generally assigns a dhcp address to you.

I am not sure if you would be able to control access based on MAC address.... better try out.

Or you can use AllowUsers parameter in your sshd_config file(s). OR opt for passwordless authentication using Public Key.

DoubleOTeC 09-14-2004 11:55 AM

thanx for response...

Re MAC Address....don't know where to begin

the subnet idea occured to me....but the range is wide considering that my ISP sometimes gives me a 200.*.*.* IP or a 6*.*.*.* IP....

AllowUsers parameter is already in effect.

with regards to the public key....will this work despite the IP of the host?

ppuru 09-14-2004 12:08 PM

Quote:

Re MAC Address....don't know where to begin
you can create an iptables rule using the

-m mac --mac-source xx.xx.xx.xx.xx.xx parameter

DoubleOTeC 09-14-2004 01:20 PM

I'm liking the MAC address idea more and more....can't believe that didn't at all cross my mind

Insteresting case though...I have a PPPoE connection, my ppp0 device has no MAC address...can i still make this work for me?

Also to clarify the iptables rul would let me in ...but i would have to slacken the rules in the /etc/hosts.allow and .deny files...?

thanx

DoubleOTeC 09-14-2004 01:42 PM

K....i got a MAC address for my machine by ethereal-ing from a remote PC

will try....and get back

DoubleOTeC 09-14-2004 02:53 PM

Ok....i think that's my MAC address...

I put in the rule to allow access on the internet interface and was happy when i got signs of connection from the test external machine. That was short-lived cause tests from another external machine revealed the same restults...:(

in the words of a local musician "Where do we go from here...where do we go...we need to knoo-o-ow"

DoubleOTeC 09-15-2004 11:43 AM

ok....ammmm...re the /etc/hosts.allow and hosts.deny idea:

can I get it to hosts.allow a domain name instead of and IP?

scowles 09-15-2004 09:28 PM

Since you are trying to connect from home to work, MAC address filtering is not the proper solution. Layer 2 MAC addresses are rewritten by each router along the path to the final Layer 3 (IP) destination. Your companies firewall will always see the MAC address of your upstream ISP router, not the MAC address of your home PC/firewall. FWIW: MAC address filtering is typically used on the same subnet.

As others have pointed out, the best solution to your problem (although not perfect) is to try and find the IP address ranges your ISP assigns through DHCP and add the appropiate rules to your compaines firewall. Or... you can do what I did and change your home ISP account from residential to business class. i.e. static IP. Yes, a business class service will cost more, but maybe you can convince your company to pick up the additional costs in the name of security.

Good luck!

ppuru 09-15-2004 10:11 PM

Quote:

scowles wrote ...
Since you are trying to connect from home to work, MAC address filtering is not the proper solution. Layer 2 MAC addresses are rewritten by each router along the path to the final Layer 3 (IP) destination. Your companies firewall will always see the MAC address of your upstream ISP router, not the MAC address of your home PC/firewall.
Thanks for clarifying ... I was very much in doubt .... the reason why I wrote "better to try out" in my first post here.

Quote:

DoubleOTeC wrote ...
can I get it to hosts.allow a domain name instead of and IP?
check the hosts.allow man page ... yes, you can use a domain name.

DoubleOTeC 09-17-2004 07:42 AM

Thanx for ur replies.

Considering the static IP, but sure as heaven the company won't pay for it.

Anyhue...i tried the /etc/hosts.allow with my domain name...this time and b4 i asked the question.

This time however i thought to check the secure logs and see if anything was being noted.

This is what i noticed in the log:
...sshd[12481]: warning: /etc/hosts.allow, line 10: can't verify hostname: getaddrinfo(<domain name>, AF_INET) failed

also:
...sshd[12592]: refused connect from <MY IP>
Any words/thougts?

Where is this getaddrinfo function supposed to be anyway?

micxz 09-23-2004 11:44 PM

Quote:

Originally posted by DoubleOTeC
also:
...sshd[12592]: refused connect from <MY IP>
Any words/thougts?
This is the sshd config. Do you have some AllowUsers or DenyUsers options in there blocking you? You should setup key login only for better security.

Quote:

Where is this getaddrinfo function supposed to be anyway?
To the best of my knowledge I think this means that "<domain name>" has no reverse lookup. I'm willing to bet the first non-commented line in /etc/hosts.deny on your machine is on line 10.

DoubleOTeC 09-27-2004 08:18 AM

no...there aren't any config issues blocking me....cause when i allow access from all hosts, i can get through

And the first uncommented line in my /etc/hosts.deny is actually line 9...hahahahaha

i figure ur talking about the ALL:ALL ....this affects the acceptance of non-reverse lookup-able IP's?

how so?


All times are GMT -5. The time now is 07:34 AM.