LinuxQuestions.org
Latest LQ Deal: Linux Power User Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 09-14-2004, 11:47 AM   #1
DoubleOTeC
Member
 
Registered: Aug 2003
Location: Dominica
Distribution: RedHat, FC1, FC3, FC4
Posts: 266

Rep: Reputation: 30
ssh login - host restriction


Hey all...

I've done some searching on the restriction of SSH and come up with a few threads. The problem is they all only work with static and known IP addresses.

Scenario: At work I have linux servers for which I am responsible. If for some reason a service were to go down at 2 am...i'm likely to get a call saying that this must be rectified.

I'm thinking...no way i want to leave my house in such a case but anyhue...

I've opened up the ssh port in the firewall, updated OpenSSH, restricted root access etc. but I'm interested, for security sake, in restricting the points from which access is available. That is, i want ssh logins to be accepted from my PC...and no other. However, my IP isn't static.

Can i get it to allow based on my host name, my mac address, or any other method.

Currently the /etc/hosts.allow and .deny files restrict any non internal access... great...i want to open to one machine.

Can i?
Thoughts, suggestions, ideas, docs, links....?

Any help would be appreciated

merci
 
Old 09-14-2004, 12:19 PM   #2
ppuru
Senior Member
 
Registered: Mar 2003
Location: Beautiful BC
Distribution: RedHat & clones, Slackware, SuSE, OpenBSD
Posts: 1,791

Rep: Reputation: 50
you can get it to allow an ip range - from the subnet your ISP generally assigns a dhcp address to you.

I am not sure if you would be able to control access based on MAC address.... better try out.

Or you can use AllowUsers parameter in your sshd_config file(s). OR opt for passwordless authentication using Public Key.
 
Old 09-14-2004, 12:55 PM   #3
DoubleOTeC
Member
 
Registered: Aug 2003
Location: Dominica
Distribution: RedHat, FC1, FC3, FC4
Posts: 266

Original Poster
Rep: Reputation: 30
thanx for response...

Re MAC Address....don't know where to begin

the subnet idea occured to me....but the range is wide considering that my ISP sometimes gives me a 200.*.*.* IP or a 6*.*.*.* IP....

AllowUsers parameter is already in effect.

with regards to the public key....will this work despite the IP of the host?
 
Old 09-14-2004, 01:08 PM   #4
ppuru
Senior Member
 
Registered: Mar 2003
Location: Beautiful BC
Distribution: RedHat & clones, Slackware, SuSE, OpenBSD
Posts: 1,791

Rep: Reputation: 50
Quote:
Re MAC Address....don't know where to begin
you can create an iptables rule using the

-m mac --mac-source xx.xx.xx.xx.xx.xx parameter
 
Old 09-14-2004, 02:20 PM   #5
DoubleOTeC
Member
 
Registered: Aug 2003
Location: Dominica
Distribution: RedHat, FC1, FC3, FC4
Posts: 266

Original Poster
Rep: Reputation: 30
I'm liking the MAC address idea more and more....can't believe that didn't at all cross my mind

Insteresting case though...I have a PPPoE connection, my ppp0 device has no MAC address...can i still make this work for me?

Also to clarify the iptables rul would let me in ...but i would have to slacken the rules in the /etc/hosts.allow and .deny files...?

thanx
 
Old 09-14-2004, 02:42 PM   #6
DoubleOTeC
Member
 
Registered: Aug 2003
Location: Dominica
Distribution: RedHat, FC1, FC3, FC4
Posts: 266

Original Poster
Rep: Reputation: 30
K....i got a MAC address for my machine by ethereal-ing from a remote PC

will try....and get back
 
Old 09-14-2004, 03:53 PM   #7
DoubleOTeC
Member
 
Registered: Aug 2003
Location: Dominica
Distribution: RedHat, FC1, FC3, FC4
Posts: 266

Original Poster
Rep: Reputation: 30
Ok....i think that's my MAC address...

I put in the rule to allow access on the internet interface and was happy when i got signs of connection from the test external machine. That was short-lived cause tests from another external machine revealed the same restults...

in the words of a local musician "Where do we go from here...where do we go...we need to knoo-o-ow"
 
Old 09-15-2004, 12:43 PM   #8
DoubleOTeC
Member
 
Registered: Aug 2003
Location: Dominica
Distribution: RedHat, FC1, FC3, FC4
Posts: 266

Original Poster
Rep: Reputation: 30
ok....ammmm...re the /etc/hosts.allow and hosts.deny idea:

can I get it to hosts.allow a domain name instead of and IP?
 
Old 09-15-2004, 10:28 PM   #9
scowles
Member
 
Registered: Sep 2004
Location: Texas, USA
Distribution: Fedora
Posts: 620

Rep: Reputation: 31
Since you are trying to connect from home to work, MAC address filtering is not the proper solution. Layer 2 MAC addresses are rewritten by each router along the path to the final Layer 3 (IP) destination. Your companies firewall will always see the MAC address of your upstream ISP router, not the MAC address of your home PC/firewall. FWIW: MAC address filtering is typically used on the same subnet.

As others have pointed out, the best solution to your problem (although not perfect) is to try and find the IP address ranges your ISP assigns through DHCP and add the appropiate rules to your compaines firewall. Or... you can do what I did and change your home ISP account from residential to business class. i.e. static IP. Yes, a business class service will cost more, but maybe you can convince your company to pick up the additional costs in the name of security.

Good luck!
 
Old 09-15-2004, 11:11 PM   #10
ppuru
Senior Member
 
Registered: Mar 2003
Location: Beautiful BC
Distribution: RedHat & clones, Slackware, SuSE, OpenBSD
Posts: 1,791

Rep: Reputation: 50
Quote:
scowles wrote ...
Since you are trying to connect from home to work, MAC address filtering is not the proper solution. Layer 2 MAC addresses are rewritten by each router along the path to the final Layer 3 (IP) destination. Your companies firewall will always see the MAC address of your upstream ISP router, not the MAC address of your home PC/firewall.
Thanks for clarifying ... I was very much in doubt .... the reason why I wrote "better to try out" in my first post here.

Quote:
DoubleOTeC wrote ...
can I get it to hosts.allow a domain name instead of and IP?
check the hosts.allow man page ... yes, you can use a domain name.
 
Old 09-17-2004, 08:42 AM   #11
DoubleOTeC
Member
 
Registered: Aug 2003
Location: Dominica
Distribution: RedHat, FC1, FC3, FC4
Posts: 266

Original Poster
Rep: Reputation: 30
Thanx for ur replies.

Considering the static IP, but sure as heaven the company won't pay for it.

Anyhue...i tried the /etc/hosts.allow with my domain name...this time and b4 i asked the question.

This time however i thought to check the secure logs and see if anything was being noted.

This is what i noticed in the log:
...sshd[12481]: warning: /etc/hosts.allow, line 10: can't verify hostname: getaddrinfo(<domain name>, AF_INET) failed

also:
...sshd[12592]: refused connect from <MY IP>
Any words/thougts?

Where is this getaddrinfo function supposed to be anyway?

Last edited by DoubleOTeC; 09-17-2004 at 08:45 AM.
 
Old 09-24-2004, 12:44 AM   #12
micxz
Senior Member
 
Registered: Oct 2002
Location: CA
Distribution: openSuSE, Cent OS, Slackware
Posts: 1,131

Rep: Reputation: 75
Quote:
Originally posted by DoubleOTeC
also:
...sshd[12592]: refused connect from <MY IP>
Any words/thougts?
This is the sshd config. Do you have some AllowUsers or DenyUsers options in there blocking you? You should setup key login only for better security.

Quote:
Where is this getaddrinfo function supposed to be anyway?
To the best of my knowledge I think this means that "<domain name>" has no reverse lookup. I'm willing to bet the first non-commented line in /etc/hosts.deny on your machine is on line 10.
 
Old 09-27-2004, 09:18 AM   #13
DoubleOTeC
Member
 
Registered: Aug 2003
Location: Dominica
Distribution: RedHat, FC1, FC3, FC4
Posts: 266

Original Poster
Rep: Reputation: 30
no...there aren't any config issues blocking me....cause when i allow access from all hosts, i can get through

And the first uncommented line in my /etc/hosts.deny is actually line 9...hahahahaha

i figure ur talking about the ALL:ALL ....this affects the acceptance of non-reverse lookup-able IP's?

how so?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
ssh: No route to host thanhvn Linux - Software 6 06-30-2005 08:18 AM
ssh from an untrusted host ddaas Linux - Security 1 03-30-2005 01:31 PM
How to setup a host.deny and host.allow for SSH? explorer1979 Linux - Security 2 01-31-2005 06:28 PM
Apply login restriction via PAM elduder12345 Linux - Security 1 09-28-2003 09:26 AM
User restriction on SSH RKris Linux - Software 5 06-22-2003 12:38 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 06:59 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration