On Tue, 3 Jan 2023 17:30:48 -0500 Dan Ritter <d...@randomstring.org> wrote:
> Tom Browder wrote: > > Is it possible to use UFW to limit ssh access to a server by an > > external host by its MAC address? > > > > I now have a permanent IPv4 address for my home IP router and would > > like to access my home server from my laptop when away from home, > > but allow no other external access. Is that possible? > > Not via MAC address, no. MAC addresses are only visible inside a > local area network, and disappear when routing happens to a new > network. > > You should use an SSH public/private key, that you have tested > before you leave, and you should use something like this in your > sshd config: > > allow_users tomb > > which will narrow the range of acceptable users (before any > other user auth happens) to just people who know your username. > > Just a slight bit of obvious polish on that: set up a user name specifically for this, with no link at all to your real name, email name etc. Use something like a password if you like, (near) random letters. Also use a long passphrase for the private key, mine is around thirty characters. You can also use an unusual port, with either the server accepting ssh on that port, or the router translating it to 22 when forwarding. Before anyone puts finger to keyboard, this improves security only microscopically (though I've only ever been portscanned once in 25 years, I think ISPs frown on it) but it does keep the logs clean, no small advantage. -- Joe
