Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I've done some searching on the restriction of SSH and come up with a few threads. The problem is they all only work with static and known IP addresses.
Scenario: At work I have linux servers for which I am responsible. If for some reason a service were to go down at 2 am...i'm likely to get a call saying that this must be rectified.
I'm thinking...no way i want to leave my house in such a case but anyhue...
I've opened up the ssh port in the firewall, updated OpenSSH, restricted root access etc. but I'm interested, for security sake, in restricting the points from which access is available. That is, i want ssh logins to be accepted from my PC...and no other. However, my IP isn't static.
Can i get it to allow based on my host name, my mac address, or any other method.
Currently the /etc/hosts.allow and .deny files restrict any non internal access... great...i want to open to one machine.
Can i?
Thoughts, suggestions, ideas, docs, links....?
I put in the rule to allow access on the internet interface and was happy when i got signs of connection from the test external machine. That was short-lived cause tests from another external machine revealed the same restults...
in the words of a local musician "Where do we go from here...where do we go...we need to knoo-o-ow"
Since you are trying to connect from home to work, MAC address filtering is not the proper solution. Layer 2 MAC addresses are rewritten by each router along the path to the final Layer 3 (IP) destination. Your companies firewall will always see the MAC address of your upstream ISP router, not the MAC address of your home PC/firewall. FWIW: MAC address filtering is typically used on the same subnet.
As others have pointed out, the best solution to your problem (although not perfect) is to try and find the IP address ranges your ISP assigns through DHCP and add the appropiate rules to your compaines firewall. Or... you can do what I did and change your home ISP account from residential to business class. i.e. static IP. Yes, a business class service will cost more, but maybe you can convince your company to pick up the additional costs in the name of security.
scowles wrote ...
Since you are trying to connect from home to work, MAC address filtering is not the proper solution. Layer 2 MAC addresses are rewritten by each router along the path to the final Layer 3 (IP) destination. Your companies firewall will always see the MAC address of your upstream ISP router, not the MAC address of your home PC/firewall.
Thanks for clarifying ... I was very much in doubt .... the reason why I wrote "better to try out" in my first post here.
Quote:
DoubleOTeC wrote ...
can I get it to hosts.allow a domain name instead of and IP?
check the hosts.allow man page ... yes, you can use a domain name.
Considering the static IP, but sure as heaven the company won't pay for it.
Anyhue...i tried the /etc/hosts.allow with my domain name...this time and b4 i asked the question.
This time however i thought to check the secure logs and see if anything was being noted.
This is what i noticed in the log:
...sshd[12481]: warning: /etc/hosts.allow, line 10: can't verify hostname: getaddrinfo(<domain name>, AF_INET) failed
also:
...sshd[12592]: refused connect from <MY IP>
Any words/thougts?
Where is this getaddrinfo function supposed to be anyway?
Last edited by DoubleOTeC; 09-17-2004 at 07:45 AM.
Originally posted by DoubleOTeC
also:
...sshd[12592]: refused connect from <MY IP>
Any words/thougts?
This is the sshd config. Do you have some AllowUsers or DenyUsers options in there blocking you? You should setup key login only for better security.
Quote:
Where is this getaddrinfo function supposed to be anyway?
To the best of my knowledge I think this means that "<domain name>" has no reverse lookup. I'm willing to bet the first non-commented line in /etc/hosts.deny on your machine is on line 10.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.