Re: Limiting ssh access: by MAC Address?
On Tue, 3 Jan 2023 17:30:48 -0500
Dan Ritter <dsr@randomstring.org> wrote:
> Tom Browder wrote:
> > Is it possible to use UFW to limit ssh access to a server by an
> > external host by its MAC address?
> >
> > I now have a permanent IPv4 address for my home IP router and would
> > like to access my home server from my laptop when away from home,
> > but allow no other external access. Is that possible?
>
> Not via MAC address, no. MAC addresses are only visible inside a
> local area network, and disappear when routing happens to a new
> network.
>
> You should use an SSH public/private key, that you have tested
> before you leave, and you should use something like this in your
> sshd config:
>
> allow_users tomb
>
> which will narrow the range of acceptable users (before any
> other user auth happens) to just people who know your username.
>
>
Just a slight bit of obvious polish on that: set up a user name
specifically for this, with no link at all to your real name, email
name etc. Use something like a password if you like, (near) random
letters. Also use a long passphrase for the private key, mine is
around thirty characters.
You can also use an unusual port, with either the server accepting ssh
on that port, or the router translating it to 22 when forwarding.
Before anyone puts finger to keyboard, this improves security only
microscopically (though I've only ever been portscanned once in 25
years, I think ISPs frown on it) but it does keep the logs clean, no
small advantage.
--
Joe
Reply to: