I would like to be able to filter SSH connections on the basis of
specific devices. That is, if the connection comes from a given device D
then it is accepted, otherwise it is rejected.
The thing is, what property of D can be used for this purpose?
Not the IP address when D is a mobile device. Also not the MAC address,
for this concept is not contemplated in cellular networks.
What could one possibly use?
Given that neither MAC nor IP address are acceptable filters for you,
the next step up from that is the encryption key used for the SSH interaction. SSH can (and mostly does) use specific, shared keys to
govern the validity (authenticity and authority) of connections.
I suggest that you use the already in-place SSH key management as
your filter criteria.
I would like to be able to filter SSH connections on the basis of
specific devices. That is, if the connection comes from a given device
D then it is accepted, otherwise it is rejected.
The thing is, what property of D can be used for this purpose?
Not the IP address when D is a mobile device. Also not the MAC address,
for this concept is not contemplated in cellular networks.
What could one possibly use?
I would like to be able to filter SSH connections on the basis of
specific devices. That is, if the connection comes from a given device
D then it is accepted, otherwise it is rejected.
The thing is, what property of D can be used for this purpose? Not
the IP address when D is a mobile device. Also not the MAC address,
for this concept is not contemplated in cellular networks.
What could one possibly use?
I took the OP's comment to be in the spirit of wanting to avoid Internet Background Radiation noise of various things knocking on the SSH
daemon's port, be it 22 or otherwise.
The goal is to make sure that a given physical device can ssh into
the server no matter what network that device is trying to do so,
bearing in mind that there may be iptables rules in place that put limitations on incoming ssh connections.
The obvious approach would be to use some non-standard port for ssh connections in the server, known to the server and the target client
alone,
but I wonder whether some feature intrinsic to the client could be
used instead so that the standard port can be used.
You can't use the IP address of a road warrior machine, and MAC
addresses are implicitly only available on the LAN.
Please clarify if you are trying to reduce log noise from IBR or if you
are just trying to make sure that the client machine in question can authenticate and log in (presuming no intermediate filtering).
On Wed, 08 Sep 2021 10:32:44 -0600, Grant Taylor wrote:
You can't use the IP address of a road warrior machine, and MAC
addresses are implicitly only available on the LAN.
Please clarify if you are trying to reduce log noise from IBR or if you
are just trying to make sure that the client machine in question can
authenticate and log in (presuming no intermediate filtering).
A mix of both, I guess. In the extreme I case, I would like to guarantee that my roaming device can always ssh into my server, no matter where the former is attempting to do so from. In a more realistic
setting, I am OK letting other people try, as long as they are not trying
to brute-force their way into my system, in which case I would block them completely. This latter aspect is already covered - the sticking issue is
to make sure that my roaming device can always make it.
I am not inclined to use a non-standard port, pretty much for the reasons you mentioned. I am also not so keen on a VPN, for it is a bit painful to set up and manage. Plus, it is slower.
A mix of both, I guess. In the extreme I case, I would like to
guarantee that my roaming device can always ssh into my server,
no matter where the former is attempting to do so from. In a more
realistic setting, I am OK letting other people try, as long as they
are not trying to brute-force their way into my system, in which case
I would block them completely. This latter aspect is already covered -
the sticking issue is to make sure that my roaming device can always
make it.
I am not inclined to use a non-standard port, pretty much for the
reasons you mentioned. I am also not so keen on a VPN, for it is a
bit painful to set up and manage. Plus, it is slower.
I would like to be able to filter SSH connections on the basis of specific devices. That is, if the connection comes from a given device D
then it is accepted, otherwise it is rejected.
The thing is, what property of D can be used for this purpose?
Not the IP address when D is a mobile device. Also not the MAC address,
for this concept is not contemplated in cellular networks.
What could one possibly use?
On 9/8/21 8:41 AM, Clark Smith wrote:
The goal is to make sure that a given physical device can ssh into
the server no matter what network that device is trying to do so,
bearing in mind that there may be iptables rules in place that put
limitations on incoming ssh connections.
Remember that you have no control over restrictions imposed by other networks. You can only influence the things on the network(s) /
system(s) that you control. Meaning that there's between exceedingly
little and nothing that you can do if some intermediate network filters
the traffic.
The obvious approach would be to use some non-standard port for ssh
connections in the server, known to the server and the target client
alone,
Using a different port will not prevent other clients from finding the
SSH daemon and trying to log in. There are 65,535 ports. That's not a
big number to search. There are easy ~> automatable ways to search it.
Using a different, non-default, port will reduce the noise in logs. But
it won't stop the noise in logs.
but I wonder whether some feature intrinsic to the client could be
used instead so that the standard port can be used.
You can't use the IP address of a road warrior machine, and MAC
addresses are implicitly only available on the LAN.
Please clarify if you are trying to reduce log noise from IBR or if you
are just trying to make sure that the client machine in question can authenticate and log in (presuming no intermediate filtering).
Sue it will. If the "noise" goes from 100 a day to 1 per year, I would
say that is stopping the noise in the logs.
On 9/8/21 11:19 PM, William Unruh wrote:
Sue it will. If the "noise" goes from 100 a day to 1 per year, I would
say that is stopping the noise in the logs.
A 100 to 1 /reduction/ is not the same as /stopping/ the noise. 100 to
0 is stopping the noise.
There will still be /some/ noise, just at a much lower rate.
This is the difference between "could care less" (you do care some) and "couldn't care less" (you don't care any).
On 9/8/21 11:19 PM, William Unruh wrote:
Sue it will. If the "noise" goes from 100 a day to 1 per year, I would
say that is stopping the noise in the logs.
A 100 to 1 /reduction/ is not the same as /stopping/ the noise. 100 to
0 is stopping the noise.
There will still be /some/ noise, just at a much lower rate.
This is the difference between "could care less" (you do care some) and "couldn't care less" (you don't care any).
On 2021-09-09, Grant Taylor <gtaylor@tnetconsulting.net> wrote:
This is the difference between "could care less" (you do care some)
and "couldn't care less" (you don't care any).
Another person who rails against Englich idioms.
And there is ALWAYS noise of some sort.
On 9/10/21 7:21 PM, William Unruh wrote:
And there is ALWAYS noise of some sort.
There's not noise once you put the server behind port knocking / single packet authorization / VPN. If the Internet at large can't get to the server, they can't cause noise in the logs.
On 11.09.2021 at 01:21, William Unruh scribbled:
On 2021-09-09, Grant Taylor <gtaylor@tnetconsulting.net> wrote:
This is the difference between "could care less" (you do care some)
and "couldn't care less" (you don't care any).
Another person who rails against Englich idioms.
There's a difference between an idiom and the misuse of language. The
latter leads to many more problems in communication than the former,
and especially in a world where not everyone speaks English.
One would therefore assume -- sadly, wrongfully so -- that those who
speak English natively would at the very least do so correctly. ;)
Or let me put it this way...: you wouldn't be so forgiving of
sloppiness in the mathematical equations of your students either. ;)
Sure it can. That port knocking/single packet authorization/VPN
produce lots of entries in the logs as well,
entries whichwould not be there, which are noise, if youdid not
use them.
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 296 |
Nodes: | 16 (2 / 14) |
Uptime: | 56:35:10 |
Calls: | 6,652 |
Calls today: | 4 |
Files: | 12,200 |
Messages: | 5,330,869 |