[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

RE: ssh from public internet and firewalls



You are somewhat correct. The MAC option will only work for local
computers located on the LAN, otherwise your remote connections will use
the MAC address from the last router hop.  

If your going to be connecting from a particular subnet on the Internet,
setup your /etc/hosts.allow /etc/host.deny or iptables to only accept
connections from a particular subnet. 

-----Original Message-----
From: redhat-list-bounces redhat com
[mailto:redhat-list-bounces redhat com] On Behalf Of Michael Velez
Sent: Tuesday, January 18, 2005 5:26 PM
To: redhat-list redhat com
Subject: ssh from public internet and firewalls

Hello all,

 

I have set up sshd on my RHEL 3 box to be able to ssh to it from the
internet.  All rules on the modem, router, and RHEL work fine.  However,
I
would like to add a rule to my firewall that only certain MAC addresses
can
actually make a request to sshd, thereby limiting ssh's from the public
internet to two trusted laptops.

 

I have set up my firewall with the mac address option and have put in
the
mac addresses of those laptops.  The problem is that this works fine
when
the laptops are connecting from within my LAN (i.e. firewall
accepts/rejects
specific MAC addresses - not a great help there but I guess I'm
protected
from any devious family member) but it does not work when my laptop is
connecting from the public internet?  Is there a reason? Will the MAC
address reflect the one from the latest hop; that is, will my Linux box
only
see the router MAC address?  There seems to be a MAC option in the
sshd_config; is that the answer and how do I use that?

 

Also, can I set up two different authentication mechanisms for whether
I'm
logging in from within my LAN or from the internet?  There is a HOST
keyword
for the sshd_config file.  Can I set up two pseudo-hosts to go verify
two
different identities with one of the hosts only accepting local IP
addresses
or something else that's local that I can define?  The reason I ask is
that
I would rather just have to enter a password or no password (with RSA
authentication - no passphrase) from within my lan but on the public
internet, I would set up an authentication with password and RSA
public/private key with passphrase and then only allow that from two
laptops.  Is this possible and/or is this overkill?

 

Last but not least, I imagine I can change the port on which sshd
listens.
Do I only have to change the relevant line in /etc/services or is there
something else I need to look at?

 

If somebody can point me in the right direction, or suggest/advise the
best
way of doing this, I would appreciate it.  I'll then go figure out the
details.

 

Thanks,

Michael

 

 

-- 
redhat-list mailing list
unsubscribe mailto:redhat-list-request redhat com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list


This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law.  If you are not the intended recipient, you should delete this message.  Any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited.



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]