ssh from public internet and firewalls

O'Neill, Donald (US - Deerfield) dooneill at deloitte.com
Tue Jan 18 23:40:03 UTC 2005 

You are somewhat correct. The MAC option will only work for local
computers located on the LAN, otherwise your remote connections will use
the MAC address from the last router hop.  

If your going to be connecting from a particular subnet on the Internet,
setup your /etc/hosts.allow /etc/host.deny or iptables to only accept
connections from a particular subnet. 

-----Original Message-----
From: redhat-list-bounces at redhat.com
[mailto:redhat-list-bounces at redhat.com] On Behalf Of Michael Velez
Sent: Tuesday, January 18, 2005 5:26 PM
To: redhat-list at redhat.com
Subject: ssh from public internet and firewalls

Hello all,

 

I have set up sshd on my RHEL 3 box to be able to ssh to it from the
internet.  All rules on the modem, router, and RHEL work fine.  However,
I
would like to add a rule to my firewall that only certain MAC addresses
can
actually make a request to sshd, thereby limiting ssh's from the public
internet to two trusted laptops.

 

I have set up my firewall with the mac address option and have put in
the
mac addresses of those laptops.  The problem is that this works fine
when
the laptops are connecting from within my LAN (i.e. firewall
accepts/rejects
specific MAC addresses - not a great help there but I guess I'm
protected
from any devious family member) but it does not work when my laptop is
connecting from the public internet?  Is there a reason? Will the MAC
address reflect the one from the latest hop; that is, will my Linux box
only
see the router MAC address?  There seems to be a MAC option in the
sshd_config; is that the answer and how do I use that?

 

Also, can I set up two different authentication mechanisms for whether
I'm
logging in from within my LAN or from the internet?  There is a HOST
keyword
for the sshd_config file.  Can I set up two pseudo-hosts to go verify
two
different identities with one of the hosts only accepting local IP
addresses
or something else that's local that I can define?  The reason I ask is
that
I would rather just have to enter a password or no password (with RSA
authentication - no passphrase) from within my lan but on the public
internet, I would set up an authentication with password and RSA
public/private key with passphrase and then only allow that from two
laptops.  Is this possible and/or is this overkill?

 

Last but not least, I imagine I can change the port on which sshd
listens.
Do I only have to change the relevant line in /etc/services or is there
something else I need to look at?

 

If somebody can point me in the right direction, or suggest/advise the
best
way of doing this, I would appreciate it.  I'll then go figure out the
details.

 

Thanks,

Michael

 

 

-- 
redhat-list mailing list
unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list


This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law.  If you are not the intended recipient, you should delete this message.  Any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited.

More information about the redhat-list mailing list