Re: Limiting ssh access: by MAC Address?
On Tue, 3 Jan 2023 17:06:30 -0500
Tom Browder <tom.browder@gmail.com> wrote:
> Is it possible to use UFW to limit ssh access to a server by an
> external host by its MAC address?
>
> I now have a permanent IPv4 address for my home IP router and would
> like to access my home server from my laptop when away from home, but
> allow no other external access. Is that possible?
>
Another thought is to use a VPN.
The normal authentication is by certificates pre-installed on client
machines, again with a passphrase for the private key in case the
laptop gets away from you. I don't even keep the certificate (or ssh
keys) on my laptop, I keep them on a regularly-replaced USB stick in
my pocket, so the loss of either key/certificate or laptop or even both
in different places does not compromise the system.
I actually use ssh for remote access if I can, but it only allows TCP
forwarding, so I can get to email but not to anything that requires
DNS or UDP. A VPN connection gives full access to all network protocols.
The VPN will have a pre-defined IP address in your private network, so
access can be fine-tuned using a firewall if required. The VPN endpoint
appears in the server as another network interface.
A VPN also allows (fairly) safe access to the Internet from an
untrusted network e.g. public wifi. You phone home and then all Net
access is via your home server. This also helps with some websites'
'security' feature of only allowing access from the IP address you
normally use. It's not just banks, my supermarket does it. The VPN
allows you to appear to use your public IP address from anywhere.
--
Joe
Reply to: