I have the following problem:

I would like to be able to connect from my laptop to my SSH
server in my internal network, no matter where the laptop may be.
However, my SSH server accepts connections from specific IP addresses -
those to do with work - and rejects all others.

The problem is that I will often try to connect from my laptop
when it is using an Internet feed that is not the one at work. Is there
anything I can do at the laptop so that when it tries to connect to my
SSH server, the connection will be accepted?

The obvious solution would be to have an SSH server listening on
a non-standard port, for this specific purpose. However, I would prefer
to use a solution that requires no changes in my SSH server - only in the
client in my laptop. Any ideas?

On 2021-05-28, John Smith <12345@whatismyemailaddress.xyz> wrote:
> I have the following problem:
>
> I would like to be able to connect from my laptop to my SSH
> server in my internal network, no matter where the laptop may be.
> However, my SSH server accepts connections from specific IP addresses -
> those to do with work - and rejects all others.

Lets see, that ssh server (Is it really yours-- ie do you own it-- or is
it your company's) has security on it to only accept connections from
the company network and you want instead to connect from anywhere, which
means that anyone can connect from anywhere.
Remove the condition that ssh can only connect from work IP
addresses. Or would this be against company policy?

>
> The problem is that I will often try to connect from my laptop
> when it is using an Internet feed that is not the one at work. Is there
> anything I can do at the laptop so that when it tries to connect to my
> SSH server, the connection will be accepted?
>
> The obvious solution would be to have an SSH server listening on
> a non-standard port, for this specific purpose. However, I would prefer
> to use a solution that requires no changes in my SSH server - only in the
> client in my laptop. Any ideas?
>

On 5/28/21 3:31 PM, John Smith wrote:
> I would like to be able to connect from my laptop to my SSH server
> in my internal network, no matter where the laptop may be. However,
> my SSH server accepts connections from specific IP addresses - those
> to do with work - and rejects all others.

I can't tell if the enforcement / filtering of specific IP addresses is
done on the SSH server and / or something between the SSH server and the
Internet.

Is the SSH server running on the router or something downstream / inside
of the router?

> The problem is that I will often try to connect from my laptop when
> it is using an Internet feed that is not the one at work. Is there
> anything I can do at the laptop so that when it tries to connect to
> my SSH server, the connection will be accepted?

You're asking if there is something that a client can do to defeat the
security that a server has in place. I would certainly hop not.

That being said, you can probably make some minor modifications to your
server and your client to allow them to talk.

You can probably also ssh from your client to a work system and then ssh
from there to your home system so that your home system sees your work
IP and allows the connection with the existing filtering / enforcement.

> The obvious solution would be to have an SSH server listening on
> a non-standard port, for this specific purpose.

Obscurity is not security in and of itself. Many things will find SSH
servers on alternate ports on the Internet.

> However, I would prefer to use a solution that requires no changes
> in my SSH server - only in the client in my laptop. Any ideas?

You really want something that requires you make a change, likely small,
to the ssh server and / or router connecting it to the Internet. Then
you make a similar change to your client to dock with the ssh server.

Port knocking and VPNs come to mind.

One thing that comes to mind is making your ssh server available via a
Tor hidden service (with strict security requirements. Tor has the
advantage of being able to reach out to systems on the Internet and
rondevu without needing to poke holes in firewalls.

I'm sure that there are other VPNs that can do similar. I'm just not
familiar with them.

You can also make changes your ssh server / router that it's behind to
enable the client to connect and communicate with some form of
authentication. This is also frequently the realm of VPN / port
knocking / single packet authorization.

But you *REALLY* want to have to do /something/ on the SSH server /
router to say that clients with a very specific behavior are allowed in.
If clients could make a change and bypass your security without the
SSH server / router blessing it ... that would be a security fail.

--
Grant. . . .
unix || die

On 2021-05-28, John Smith <12345@whatismyemailaddress.xyz> wrote:

Hi John (Yeah! "John" is certainly your name. Isn't it?).

> I have the following problem:

Ever heard about port knock client and server?

You would have to install a knockd on you server and use a knock client
on your laptop. This way you explicitly open your firewall for a short
period to establish a connection and then close it again.

Best regards.
--
Can't open /usr/fortunes. Lid stuck on cookie jar.

John Smith <12345@whatismyemailaddress.xyz> writes:
> I have the following problem:
>
> I would like to be able to connect from my laptop to my SSH
> server in my internal network, no matter where the laptop may be.
> However, my SSH server accepts connections from specific IP addresses -
> those to do with work - and rejects all others.

The solution is to remove this restriction.

> The problem is that I will often try to connect from my laptop
> when it is using an Internet feed that is not the one at work. Is there
> anything I can do at the laptop so that when it tries to connect to my
> SSH server, the connection will be accepted?

SSH from the laptop to work, if that’s allowed, and within that SSH from
work to your internal network.

Otherwise, no, there’s nothing you can do with the laptop alone.

--
https://www.greenend.org.uk/rjk/

On 05/28/2021 11:31 PM, John Smith wrote:

> The problem is that I will often try to connect from my laptop when
> it is using an Internet feed that is not the one at work. Is there
> anything I can do at the laptop so that when it tries to connect to
> my SSH server, the connection will be accepted?

To overcome this problem I installed openvpn both in the server and on
several clients. Each user has his own certificate and as long You
start the private connection You will be able to connect via ssh from
anywhere.

Ciao
Giovanni
--
A computer is like an air conditioner,
it stops working when you open Windows.
< http://giovanni.homelinux.net/ >

On Fri, 28 May 2021 22:28:22 +0000, William Unruh wrote:

> On 2021-05-28, John Smith <12345@whatismyemailaddress.xyz> wrote:
>> I have the following problem:
>>
>> I would like to be able to connect from my laptop to my SSH
>> server in my internal network, no matter where the laptop may be.
>> However, my SSH server accepts connections from specific IP addresses -
>> those to do with work - and rejects all others.
>
> Lets see, that ssh server (Is it really yours-- ie do you own it-- or is
> it your company's) has security on it to only accept connections from
> the company network and you want instead to connect from anywhere, which
> means that anyone can connect from anywhere.
> Remove the condition that ssh can only connect from work IP
> addresses. Or would this be against company policy?

The server is my own - I can modify it as I wish.

What I am asking is whether things could be arranged so that
specific clients - as in running on specific hardware - could connect
from anywhere, whereas any other clients cannot, unless they come from
specific IP addresses. I guess that ome could use the client's MAC
address, but I don't know how.

>
>
>> The problem is that I will often try to connect from my laptop
>> when it is using an Internet feed that is not the one at work. Is there
>> anything I can do at the laptop so that when it tries to connect to my
>> SSH server, the connection will be accepted?
>>
>> The obvious solution would be to have an SSH server listening on
>> a non-standard port, for this specific purpose. However, I would prefer
>> to use a solution that requires no changes in my SSH server - only in
>> the client in my laptop. Any ideas?
>>

On Fri, 28 May 2021 16:36:03 -0600, Grant Taylor wrote:

> On 5/28/21 3:31 PM, John Smith wrote:
>> I would like to be able to connect from my laptop to my SSH server in
>> my internal network, no matter where the laptop may be. However,
>> my SSH server accepts connections from specific IP addresses - those to
>> do with work - and rejects all others.
>
> I can't tell if the enforcement / filtering of specific IP addresses is
> done on the SSH server and / or something between the SSH server and the
> Internet.
>
> Is the SSH server running on the router or something downstream / inside
> of the router?

Downstream. The router just forwards connections on port 22 to
the appropriate system in my network.

>> The problem is that I will often try to connect from my laptop when it
>> is using an Internet feed that is not the one at work. Is there
>> anything I can do at the laptop so that when it tries to connect to my
>> SSH server, the connection will be accepted?
>
> You're asking if there is something that a client can do to defeat the
> security that a server has in place. I would certainly hop not.

What I am asking is whether the server could allow connections in
selectively on the basis of some piece of information unique to hardware
that the client is running on - like e.g. its MAC address.

Le 29/05/2021 à 16:38, John Smith a écrit :
>
> I guess that ome could use the client's MAC address

No. A MAC address can be forged easily and is visible only on the same
LAN, not across an internet.

On 2021-05-29, John Smith <12345@whatismyemailaddress.xyz> wrote:
> On Fri, 28 May 2021 22:28:22 +0000, William Unruh wrote:
>
>> On 2021-05-28, John Smith <12345@whatismyemailaddress.xyz> wrote:
>>> I have the following problem:
>>>
>>> I would like to be able to connect from my laptop to my SSH
>>> server in my internal network, no matter where the laptop may be.
>>> However, my SSH server accepts connections from specific IP addresses -
>>> those to do with work - and rejects all others.
>>
>> Lets see, that ssh server (Is it really yours-- ie do you own it-- or is
>> it your company's) has security on it to only accept connections from
>> the company network and you want instead to connect from anywhere, which
>> means that anyone can connect from anywhere.
>> Remove the condition that ssh can only connect from work IP
>> addresses. Or would this be against company policy?
>
> The server is my own - I can modify it as I wish.
>
> What I am asking is whether things could be arranged so that
> specific clients - as in running on specific hardware - could connect
> from anywhere, whereas any other clients cannot, unless they come from
> specific IP addresses. I guess that ome could use the client's MAC
> address, but I don't know how.

None of that information is transmitted in trying to set up the
connection. It would be insecue to do so, handing out far too much
information to the whole world. As has been mentioned you could try port
knocking-- still not terribly secure but it depends on the level of
aversary you are protecting from. You could also just change your ssh
port number since most ssh attacks use the standard ssh ports.
..
>
>
>>
>>
>>> The problem is that I will often try to connect from my laptop
>>> when it is using an Internet feed that is not the one at work. Is there
>>> anything I can do at the laptop so that when it tries to connect to my
>>> SSH server, the connection will be accepted?
>>>
>>> The obvious solution would be to have an SSH server listening on
>>> a non-standard port, for this specific purpose. However, I would prefer
>>> to use a solution that requires no changes in my SSH server - only in
>>> the client in my laptop. Any ideas?
>>>
>

On Sat, 29 May 2021 17:19:19 +0200, Pascal Hambourg wrote:

> Le 29/05/2021 à 16:38, John Smith a écrit :
>>
>> I guess that ome could use the client's MAC address
>
> No. A MAC address can be forged easily and is visible only on the same
> LAN, not across an internet.

Yes, if that information is transferred in the clear then this
approach would be a no-no. Thanks.

John Smith <12345@whatismyemailaddress.xyz> wrote:
>What I am asking is whether the server could allow connections in
>selectively on the basis of some piece of information unique to hardware
>that the client is running on - like e.g. its MAC address.

Without tinkering, and at your level of knowlegde, no. Those people
who would be able to do that would probably need to modify the server,
and would probably refrain from building such a construction for good
reasons.

Greetings
Marc
--
-------------------------------------- !! No courtesy copies, please !! -----
Marc Haber | " Questions are the | Mailadresse im Header
Mannheim, Germany | Beginning of Wisdom " |
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834

Giovanni <lsodgf0@home.net.it> wrote:
>On 05/28/2021 11:31 PM, John Smith wrote:
>
>> The problem is that I will often try to connect from my laptop when
>> it is using an Internet feed that is not the one at work. Is there
>> anything I can do at the laptop so that when it tries to connect to
>> my SSH server, the connection will be accepted?
>
>To overcome this problem I installed openvpn both in the server and on
>several clients. Each user has his own certificate and as long You
>start the private connection You will be able to connect via ssh from
>anywhere.

This is actually no better than having the ssh server accessible from
the Outside. Just the keys are longer

Greetings
Marc
--
-------------------------------------- !! No courtesy copies, please !! -----
Marc Haber | " Questions are the | Mailadresse im Header
Mannheim, Germany | Beginning of Wisdom " |
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834

On 05/29/2021 06:44 PM, Marc Haber wrote:

>> To overcome this problem I installed openvpn both in the server and
>> on several clients. Each user has his own certificate and as long
>> You start the private connection You will be able to connect via
>> ssh from anywhere.

> This is actually no better than having the ssh server accessible
> from the Outside. Just the keys are longer

The OP said that he wants access only from authorized IP addresses but
he gets locked out if he uses foreign IP. That was exactly my problem
when trying to access my network when I was traveling.

Well maybe a VPN isn't more secure than SSH, but while I see lots of
failed attempts on the ssh port, there are very few on the VPN port.
And when I connect the VPN I use SSH to login.

Ciao
Giovanni
--
A computer is like an air conditioner,
it stops working when you open Windows.
< http://giovanni.homelinux.net/ >

On 2021-05-29, Giovanni <lsodgf0@home.net.it> wrote:
> On 05/29/2021 06:44 PM, Marc Haber wrote:
>
>>> To overcome this problem I installed openvpn both in the server and
>>> on several clients. Each user has his own certificate and as long
>>> You start the private connection You will be able to connect via
>>> ssh from anywhere.
>
>> This is actually no better than having the ssh server accessible
>> from the Outside. Just the keys are longer
>
> The OP said that he wants access only from authorized IP addresses but
> he gets locked out if he uses foreign IP. That was exactly my problem
> when trying to access my network when I was traveling.
>
> Well maybe a VPN isn't more secure than SSH, but while I see lots of
> failed attempts on the ssh port, there are very few on the VPN port.
> And when I connect the VPN I use SSH to login.

Theeasiest way to get rid of the vast majority of ssh attacks isto
simply put it on a different port. And setop your ssh_config to connect
to that host on that port.
Host donaldduck*
Port 11823
>
> Ciao
> Giovanni

On 28/05/2021 23.31, John Smith wrote:
> I have the following problem:
>
> I would like to be able to connect from my laptop to my SSH
> server in my internal network, no matter where the laptop may be.
> However, my SSH server accepts connections from specific IP addresses -
> those to do with work - and rejects all others.

Remove this restriction, as you control the server, and instead have the
server listen to some high port (not 50000, that one is common), and use
public key certificates, disabling password login. This is what most
people do and it works.

As an added security, you could do some port knocking.

You might hire an VPN, and connect via it, if you tell the server to
accept that VPN address. Provided you are sure the VPN will never change.

However, if someone wants to attack you, they will see established
connections from those addresses, while other addresses fail fast; thus
they will figure out that they have to "fake" those IP addresses to
connect to your server.

--
Cheers, Carlos.

On 2021-05-29, William Unruh <unruh@invalid.ca> wrote:
> Theeasiest way to get rid of the vast majority of ssh attacks isto
> simply put it on a different port. And setop your ssh_config to connect
> to that host on that port.

Also set up for key-based login only to prevent brute-force password
attacks from going anywhere, and use the firewall to limit the number
of connection attempts permitted per minute.

--
------------------------------------------------------------------------------
Roger Blake (Posts from Google Groups killfiled due to excess spam.)

18 Reasons I won't be vaccinated -- https://tinyurl.com/ebty2dx3
Covid vaccines: experimental biology -- https://tinyurl.com/57mncfm5
The fraud of "Climate Change" -- https://RealClimateScience.com
Don't talk to cops! -- https://DontTalkToCops.com
------------------------------------------------------------------------------

On 5/29/21 8:42 AM, John Smith wrote:
> Downstream. The router just forwards connections on port 22 to the
> appropriate system in my network.

Is the router forwarding /all/ connections to the system in your
network? Or is it only forwarding /some/ /specific/ source IPs?

If it is, or could be made to be, forwarding /all/ connections, then you
can have filtering logic on the system in your network.

> What I am asking is whether the server could allow connections in
> selectively on the basis of some piece of information unique to
> hardware that the client is running on - like e.g. its MAC address.

MAC addresses as they are normally used don't traverse routers.

I would strongly advocate for SSH keys. Or better would be SSH
certificates. The client must present a client certificate to the SSH
server that the SSH server trusts. (This is in addition to normal
account requirements like ~/.ssh/known_hosts.) Though these rely on the
security of the SSH server and it needs to be exposed to the Internet to
allow incoming connections from anywhere.

I would suggest a VPN of some sort; IPsec, OpenVPN, or WireGuard,
between clients and your router. Your router could be configured to
allow SSH traffic from VPN(s) in to the server on your network while
blocking SSH traffic that didn't come through a VPN. This has the
advantage of only needing to expose the SSH server to clients that have
valid VPN connections, meaning people you likely trust.

--
Grant. . . .
unix || die

On 5/29/21 12:21 PM, William Unruh wrote:
> Theeasiest way to get rid of the vast majority of ssh attacks isto
> simply put it on a different port.

The operative phrase is "the vast majority". There will still be plenty
of attacks even on non-standard port.

Obscurity, by itself, is not security.

Obscurity can be one of many layers of a security solution.

> And setop your ssh_config to connect to that host on that port.

I absolutely endorse the /client/ ssh configuration files, either
individual (~/.ssh/config) or system wide (/etc/ssh/ssh_config).

--
Grant. . . .
unix || die

On 5/29/21 12:56 PM, Carlos E.R. wrote:
> However, if someone wants to attack you, they will see established
> connections from those addresses, while other addresses fail fast; thus
> they will figure out that they have to "fake" those IP addresses to
> connect to your server.

Spoofing IP addresses on TCP connections is possible, but it's a LOT
harder to do than UDP. As long as the security requires round trip
traffic, a la established connections, then fire and forget attacks are
almost completely off the table.

I say almost completely because there are ways to deal with this, but
they are considerably more involved. If you're defending against this,
you are well beyond simply getting rid of log noise from worms.

--
Grant. . . .
unix || die

On 5/29/21 9:27 AM, William Unruh wrote:
> As has been mentioned you could try port knocking-- still not terribly
> secure but it depends on the level of aversary you are protecting from.

Dynamic port knocking or Single Packet Authentication uses cryptographic
primitives to make each knock different. As in the source IP and / or
time of day is taken into consideration for the port(s) and / or
sequence to be knocked on.

Much like port knocking eliminates a lot of chaff, dynamic port knocking
or SPA eliminates the simple playback of previous port knocks.

--
Grant. . . .
unix || die

On 5/29/21 10:44 AM, Marc Haber wrote:
> This is actually no better than having the ssh server accessible from
> the Outside. Just the keys are longer

I disagree.

The biggest difference I see is the scope and complexity of the
different systems.

OpenSSH is a LOT of lines of code and is quite complex. Conversely,
WireGuard is many fewer lines of code and purportedly quite a bit
simpler. From a security standpoint, this is a HUGE difference.

There is also some security benefit on having the VPN and the SSH server
on different devices.

--
Grant. . . .
unix || die

One doesn't need to run a program to do port knocking if one has a stateful firewall. For Linux and similar unices, iptables with a
recent list (using a timeout) can be configured to work.

Note also that port knocking, although defined in terms of UDP, need not use UDP ports. One can use other IP protocols, and in some
circumstances, even some port-less protocols might work.

"Henning Hucke" wrote in message news:slrnsb3ql0.9a0.h_hucke+spam.news@romulus.aeon.icebear.cloud...
On 2021-05-28, John Smith <12345@whatismyemailaddress.xyz> wrote:
Hi John (Yeah! "John" is certainly your name. Isn't it?).

> I have the following problem:

Ever heard about port knock client and server?

You would have to install a knockd on you server and use a knock client
on your laptop. This way you explicitly open your firewall for a short
period to establish a connection and then close it again.

Best regards.

On 5/29/21 2:28 PM, Roger Blake wrote:

>
> and use the firewall to limit the number
> of connection attempts permitted per minute.
>

That could easily lead to you being denied access. A bad actor would
only have to keep attempting to connect, rapidly.

Giovanni <lsodgf0@home.net.it> wrote:
>On 05/29/2021 06:44 PM, Marc Haber wrote:
>
>>> To overcome this problem I installed openvpn both in the server and
>>> on several clients. Each user has his own certificate and as long
>>> You start the private connection You will be able to connect via
>>> ssh from anywhere.
>
>> This is actually no better than having the ssh server accessible
>> from the Outside. Just the keys are longer
>
>The OP said that he wants access only from authorized IP addresses but
>he gets locked out if he uses foreign IP.

Yes, that's an unfillable request. Either there is a restriction, or
there is not.

What you're suggesting is an enterprise-level policy circumvention
that people do if they have contradicting requirements and don't dare
to educate the people who made those requirements.

>Well maybe a VPN isn't more secure than SSH, but while I see lots of
>failed attempts on the ssh port, there are very few on the VPN port.

the VAST majority of the connectionst to ssh servers are just
bruteforcing joe accounts. That doesnt matter at all for an ssh server
with passwords disabled.

Greetings
Marc
--
-------------------------------------- !! No courtesy copies, please !! -----
Marc Haber | " Questions are the | Mailadresse im Header
Mannheim, Germany | Beginning of Wisdom " |
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834