Linux - SoftwareThis forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hello,
I guess there is no way to limit SSH based on MAC address. I want to connect to a server through SSH protocol on the mobile phone, but the IP address of the mobile phone is dynamic, and on the other hand, I can't open SSH on all IP addresses. What's the solution?
I don't understand. I guess phone is the client where do you want to connect to a server from. But probably you need something else.
Can you give us more details?
McAddress is not directly visible, but I think there is a plugin which can be used. The problem is that MAC address can be changed in some cases, you cannot rely on it.
In addition to what @Turbocapitalist suggests, you could have SSH listening on a non-standard port and use firewall rules to only pass traffic from the address space used by the mobile phone provider.
I guess there is no way to limit SSH based on MAC address. I want to connect to a server through SSH protocol on the mobile phone, but the IP address of the mobile phone is dynamic, and on the other hand, I can't open SSH on all IP addresses. What's the solution?
You're asking lots of interesting questions here!
The problem with MAC filters is that it is very easy to spoof MAC addresses.
This is probably something you've heard before, BUT, my solution to this would be to use OpenVPN on a high/non-standard port. There is a client app for it on Android and IOS. Then use ConnectBot or similar app on the phone to SSH in.
There are people on here who might disagree with me, but IMO, opening your SSH port to the internet is asking for trouble.
The mobile will be from a set prefix, even if dynamic. Limit from that range. Key-only SSH login on a non-standard port is really all you need unless you are going up against the top agents of the NSA who have zero-days that we don't know about.
if you want to be really [paranoid] sure you need to install a special software on the given host which can confirm the identity of the device. But I still do not understand what do you want to solve here.
MAC addresses can be spoofed trivially, some systems even randomize theirs. Such a filter would only work for systems connecting from the same LAN, anyway.
So not much with trying MAC address filtering unless you have a specific use-case in mind, one which actually suits tracking the MAC address.
If you're looking for a second factor for authentication, requiring both an SSH key and a password would be the easiest way.
If the issue is "I can't open SSH on all IP addresses" then an alternative technique is to have the server initiate the connection and establish a reverse SSH tunnel.
This would require:
1. Maintaining a dynamic IP address for the mobile phone.
2. Being able to manipulate ports on the server that require root privileges.
MAC addresses can be spoofed trivially, some systems even randomize theirs. Such a filter would only work for systems connecting from the same LAN, anyway.
So not much with trying MAC address filtering unless you have a specific use-case in mind, one which actually suits tracking the MAC address.
If you're looking for a second factor for authentication, requiring both an SSH key and a password would be the easiest way.
Hello,
Thank you so much for your reply.
How can I make it possible to create only one session from each MAC address? Maybe this can prevent mac address cloning to some extent.
Hello,
Thank you so much for your reply.
How can I make it possible to create only one session from each MAC address? Maybe this can prevent mac address cloning to some extent.
I'm afraid, no. One given MAC address can only be used only once in a network, so mac address cloning is pointless. But using a random address is possible and you cannot create a filter for that.
I'm afraid, no. One given MAC address can only be used only once in a network, so mac address cloning is pointless. But using a random address is possible and you cannot create a filter for that.
Hello,
Thanks again.
Does this only apply to iptables? Random MAC addresses are useless when only you allow specific MAC addresses to connect.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.