In article <mcCze.38558$e64.1059880@wagner.videotron.net>, Carlos Moreno wrote:

> Is there a way to configure SSH + iptables such that it only accepts
> logins coming from our machines?

I tackled the problem in a different way. I have SSH configured with
tcpwrappers (/etc/hosts.allow, hosts.deny) that normally only allow
connections from the LAN. It's IP address (or IP range), not MAC, but
this may be sufficient for you.

But in addition I wrote a program called Ostiary that is, I
respectfully submit, secure by inspection. It uses CHAP+HMAC with a
SHA1 hash, and only allows a fixed set of commands to be run, with one
argument: the IP that successfully authenticated. Buffer overflows and
similar attacks are impossible.

Mathematically speaking, brute force is Vanishingly unlikely to
work (i.e. the sun will burn out first) and it has automatic lockout
features to thwart dictionary attacks. I use it to temporarily enable
SSH for whatever specific machine I happen to be on, and then SSH in.
It even has a Java client now, so any Java-enabled web browser can be
the client. (Combine that with a Java SSH client... :-> )

Perhaps I'm overly paranoid, but I don't worry about anyone breaking
into my system via SSH, even if they somehow find a buffer overflow in
SSH or something. And for simple remote admin tasks (e.g. restart
webserver, etc.) SSH isn't needed at all.

http://ingles.homeunix.org/software/ost/

--
Sincerely,

Ray Ingles (313) 227-2317

"Open source code is not guaranteed nor does it come with a
warranty." - the Alexis de Tocqueville Institute

"I guess that's in contrast to proprietary software, which
comes with a money-back guarantee, and free on-site repairs
if any bugs are found." - Rary