Restrict SSH based on MAC address

Jason.nix · 02-01-2024, 11:46 AM

Hello,
I guess there is no way to limit SSH based on MAC address. I want to connect to a server through SSH protocol on the mobile phone, but the IP address of the mobile phone is dynamic, and on the other hand, I can't open SSH on all IP addresses. What's the solution?

Thank you.

Turbocapitalist · 02-01-2024, 11:52 AM

I'm not sure what problem you are trying to solve.

If you are worried about people bruteforcing passwords, require an SSH key first before the password:

Code:

AuthenticationMethods publickey,password

If connections via the LAN are to be exempted from the 2FA then use a Match clause.

Or you could instead just go with keys only and turn off passwords completely.

pan64 · 02-01-2024, 12:35 PM

I don't understand. I guess phone is the client where do you want to connect to a server from. But probably you need something else.
Can you give us more details?
McAddress is not directly visible, but I think there is a plugin which can be used. The problem is that MAC address can be changed in some cases, you cannot rely on it.

allend · 02-01-2024, 04:25 PM

In addition to what @Turbocapitalist suggests, you could have SSH listening on a non-standard port and use firewall rules to only pass traffic from the address space used by the mobile phone provider.

rkelsen · 02-01-2024, 05:14 PM

Quote:

Originally Posted by Jason.nix

I guess there is no way to limit SSH based on MAC address. I want to connect to a server through SSH protocol on the mobile phone, but the IP address of the mobile phone is dynamic, and on the other hand, I can't open SSH on all IP addresses. What's the solution?

You're asking lots of interesting questions here!

The problem with MAC filters is that it is very easy to spoof MAC addresses.

This is probably something you've heard before, BUT, my solution to this would be to use OpenVPN on a high/non-standard port. There is a client app for it on Android and IOS. Then use ConnectBot or similar app on the phone to SSH in.

There are people on here who might disagree with me, but IMO, opening your SSH port to the internet is asking for trouble.

jayjwa · 02-04-2024, 01:30 PM

The mobile will be from a set prefix, even if dynamic. Limit from that range. Key-only SSH login on a non-standard port is really all you need unless you are going up against the top agents of the NSA who have zero-days that we don't know about.

pan64 · 02-05-2024, 01:08 AM

if you want to be really [paranoid] sure you need to install a special software on the given host which can confirm the identity of the device. But I still do not understand what do you want to solve here.

Jason.nix · 02-08-2024, 03:40 PM

Hello,
Thank you so much for all replies.
What is your opinion about using iptables:

Code:

# iptables -A INPUT -p tcp --destination-port 22 -m mac --mac-source "MAC Address" -j ACCEPT

allend · 02-08-2024, 08:09 PM

Mobile devices may randomise the MAC address when connecting to different networks as a security and anti-tracking measure. Your setup, your decision.

Turbocapitalist · 02-09-2024, 03:24 AM

Quote:

Originally Posted by Jason.nix

What is your opinion about using iptables:

Code:

nft add rule inet filter input tcp dport 22 ether saddr 00:0f:54:0c:11:04 accept

MAC addresses can be spoofed trivially, some systems even randomize theirs. Such a filter would only work for systems connecting from the same LAN, anyway.

So not much with trying MAC address filtering unless you have a specific use-case in mind, one which actually suits tracking the MAC address.

If you're looking for a second factor for authentication, requiring both an SSH key and a password would be the easiest way.

allend · 02-09-2024, 07:02 AM

If the issue is "I can't open SSH on all IP addresses" then an alternative technique is to have the server initiate the connection and establish a reverse SSH tunnel.
This would require:
1. Maintaining a dynamic IP address for the mobile phone.
2. Being able to manipulate ports on the server that require root privileges.

I used to do this with a script run from cron.

Jason.nix · 02-12-2024, 10:55 AM

Quote:

Originally Posted by Turbocapitalist

Code:

nft add rule inet filter input tcp dport 22 ether saddr 00:0f:54:0c:11:04 accept

MAC addresses can be spoofed trivially, some systems even randomize theirs. Such a filter would only work for systems connecting from the same LAN, anyway.

So not much with trying MAC address filtering unless you have a specific use-case in mind, one which actually suits tracking the MAC address.

If you're looking for a second factor for authentication, requiring both an SSH key and a password would be the easiest way.

Hello,
Thank you so much for your reply.
How can I make it possible to create only one session from each MAC address? Maybe this can prevent mac address cloning to some extent.

pan64 · 02-12-2024, 11:03 AM

Quote:

Originally Posted by Jason.nix

Hello,
Thank you so much for your reply.
How can I make it possible to create only one session from each MAC address? Maybe this can prevent mac address cloning to some extent.

I'm afraid, no. One given MAC address can only be used only once in a network, so mac address cloning is pointless. But using a random address is possible and you cannot create a filter for that.

Jason.nix · 02-17-2024, 07:00 AM

Quote:

Originally Posted by pan64

I'm afraid, no. One given MAC address can only be used only once in a network, so mac address cloning is pointless. But using a random address is possible and you cannot create a filter for that.

Hello,
Thanks again.
Does this only apply to iptables? Random MAC addresses are useless when only you allow specific MAC addresses to connect.