Re: Limiting ssh access: by MAC Address?

[Jeffrey Walton <noloader@gmail.com>]

On Tue, Jan 3, 2023 at 5:07 PM Tom Browder <tom.browder@gmail.com> wrote:
>
> Is it possible to use UFW to limit ssh access to a server by an external host by its MAC address?
>
> I now have a permanent IPv4 address for my home IP router and would like to access my home server from my laptop when away from home, but allow no other external access. Is that possible?

No, not by filtering MAC or IP addresses since your laptop will be on
a different network. The MAC address you see will most likely be that
of your router. If it's not the router, then it's your firewall placed
behind the router.

If you want strong authentication assurances, then setup
PublicKey-only authentication. I run it on nearly all my machines, and
use it locally and remotely.

Here's what you need. Notice the conf files are placed in sshd/, and
not ssh/. sshd/ is the local server config, and ssh/ is the client
software config.

$ cat /etc/ssh/sshd_config.d/10-pubkey_auth.conf
# Enable public key
PubkeyAuthentication yes
# Disable passwords
PasswordAuthentication no
ChallengeResponseAuthentication no
KerberosAuthentication no
KerberosOrLocalPasswd no
GSSAPIAuthentication no
UsePAM no

$ cat /etc/ssh/sshd_config.d/20-no_root_login.conf
PermitRootLogin no

If you want to stop unlimited [failed] authentication attempts, then
checkout tools like fail2ban.

Jeff