On Tue, Jan 3, 2023 at 5:07 PM Tom Browder <tom.brow...@gmail.com> wrote: > > Is it possible to use UFW to limit ssh access to a server by an external host > by its MAC address? > > I now have a permanent IPv4 address for my home IP router and would like to > access my home server from my laptop when away from home, but allow no other > external access. Is that possible?
No, not by filtering MAC or IP addresses since your laptop will be on a different network. The MAC address you see will most likely be that of your router. If it's not the router, then it's your firewall placed behind the router. If you want strong authentication assurances, then setup PublicKey-only authentication. I run it on nearly all my machines, and use it locally and remotely. Here's what you need. Notice the conf files are placed in sshd/, and not ssh/. sshd/ is the local server config, and ssh/ is the client software config. $ cat /etc/ssh/sshd_config.d/10-pubkey_auth.conf # Enable public key PubkeyAuthentication yes # Disable passwords PasswordAuthentication no ChallengeResponseAuthentication no KerberosAuthentication no KerberosOrLocalPasswd no GSSAPIAuthentication no UsePAM no $ cat /etc/ssh/sshd_config.d/20-no_root_login.conf PermitRootLogin no If you want to stop unlimited [failed] authentication attempts, then checkout tools like fail2ban. Jeff