RE: ssh from public internet and firewalls

From: O'Neill, Donald (US - Deerfield) (dooneill_at_deloitte.com)
Date: 01/19/05

  • Next message: LorD of jUmP: "Problem with Samba" 
    Date: Tue, 18 Jan 2005 17:40:03 -0600
To: "General Red Hat Linux discussion list" <redhat-list@redhat.com>

    You are somewhat correct. The MAC option will only work for local
    computers located on the LAN, otherwise your remote connections will use
    the MAC address from the last router hop.

    If your going to be connecting from a particular subnet on the Internet,
    setup your /etc/hosts.allow /etc/host.deny or iptables to only accept
    connections from a particular subnet.

    -----Original Message-----
    From: redhat-list-bounces@redhat.com
    [mailto:redhat-list-bounces@redhat.com] On Behalf Of Michael Velez
    Sent: Tuesday, January 18, 2005 5:26 PM
    To: redhat-list@redhat.com
    Subject: ssh from public internet and firewalls

    Hello all,

     

    I have set up sshd on my RHEL 3 box to be able to ssh to it from the
    internet. All rules on the modem, router, and RHEL work fine. However,
    I
    would like to add a rule to my firewall that only certain MAC addresses
    can
    actually make a request to sshd, thereby limiting ssh's from the public
    internet to two trusted laptops.

     

    I have set up my firewall with the mac address option and have put in
    the
    mac addresses of those laptops. The problem is that this works fine
    when
    the laptops are connecting from within my LAN (i.e. firewall
    accepts/rejects
    specific MAC addresses - not a great help there but I guess I'm
    protected
    from any devious family member) but it does not work when my laptop is
    connecting from the public internet? Is there a reason? Will the MAC
    address reflect the one from the latest hop; that is, will my Linux box
    only
    see the router MAC address? There seems to be a MAC option in the
    sshd_config; is that the answer and how do I use that?

     

    Also, can I set up two different authentication mechanisms for whether
    I'm
    logging in from within my LAN or from the internet? There is a HOST
    keyword
    for the sshd_config file. Can I set up two pseudo-hosts to go verify
    two
    different identities with one of the hosts only accepting local IP
    addresses
    or something else that's local that I can define? The reason I ask is
    that
    I would rather just have to enter a password or no password (with RSA
    authentication - no passphrase) from within my lan but on the public
    internet, I would set up an authentication with password and RSA
    public/private key with passphrase and then only allow that from two
    laptops. Is this possible and/or is this overkill?

     

    Last but not least, I imagine I can change the port on which sshd
    listens.
    Do I only have to change the relevant line in /etc/services or is there
    something else I need to look at?

     

    If somebody can point me in the right direction, or suggest/advise the
    best
    way of doing this, I would appreciate it. I'll then go figure out the
    details.

     

    Thanks,

    Michael

     

      

    -- 
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law.  If you are not the intended recipient, you should delete this message.  Any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited.
-- 
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
  • Next message: LorD of jUmP: "Problem with Samba"

    Relevant Pages

    • Re: disabling ethernet loopback device completely
      ... Have you tried to use mapping based on mac address ... # Two ethernet interfaces, one connected to a trusted LAN, the other to ... # the untrusted Internet, identified by MAC address rather than ... # iface internet inet dhcp ...
      (Debian-User)
    • RE: ssh from public internet and firewalls
      ... key and passphrase when connecting from outside the lan. ... The MAC option will only work for local ... > If your going to be connecting from a particular subnet on the Internet, ...
      (RedHat)
    • Re: MAC address
      ... >> the context of the Internet but a wireless LAN. ... >> server and send some data to it, the server would be able to ... > has your MAC, what's it going to do with it? ... This message was sent using IMP, the Internet Messaging Program. ...
      (comp.lang.python)
    • Re: XP Network Bridge Problem
      ... got multiple machines connecting to this WAP successfully (two laptops, ... The WAP has a WEP key and MAC filtering. ... adapter that works just fine AS LONG AS I DON'T ... BRIDGE IT WITH THE ETHERNET ADAPTER. ...
      (microsoft.public.windowsxp.network_web)
    • RE: Connecting Mac 10.4.1 to SBS 2k3 Network
      ... tell you how to configure the connectivity for your Mac OS... ... Connecting Macintosh OS X 10.3 and Higher Clients to a Windows Small ... Business Server 2003 Network ... On the SBS server, run "gpmc.msc" and make sure the following policies ...
      (microsoft.public.windows.server.sbs)