Re: Limiting ssh access: by MAC Address?

[Tim Woodall <debianuser@woodall.me.uk>]

On Tue, 3 Jan 2023, Dan Ritter wrote:

> Tom Browder wrote:
> > Is it possible to use UFW to limit ssh access to a server by an external
> > host by its MAC address?
> >
> > I now have a permanent IPv4 address for my home IP router and would like to
> > access my home server from my laptop when away from home, but allow no
> > other external access. Is that possible?
>
> Not via MAC address, no. MAC addresses are only visible inside a
> local area network, and disappear when routing happens to a new
> network.
>
> You should use an SSH public/private key, that you have tested
> before you leave, and you should use something like this in your
> sshd config:
>
> allow_users tomb
>
> which will narrow the range of acceptable users (before any
> other user auth happens) to just people who know your username.

This! And further you can set:

cat /etc/ssh/sshd_config.d/no_password.conf
PasswordAuthentication no

and you'll be completely safe from password guessing attacks too.

(you can edit sshd_config rather than snippits in sshd_config.d)

I have keys on multiple devices - I use juiceSSH mostly but also
connectbot on android devices.

Just make sure your keys are labelled in authorized_keys sensibly. If
you lose a device you want to know which key to remove if there are
lots.