Limiting SSH & port 22 - how is everyone doing it?

prodservices
New Contributor III

Hello JAMF Nation,

Wondering how everyone here is limiting access to port 22 in their environment. We'd like to restrict it down the subnets where the management hosts and endpoints live, so I figured I would see how others are doing this (if at all) and see if there was any gotchas we haven't thought of yet. For example, how are your OS X firewalls configured? Any best practices to consider?

Ideally I'd like to limit things so you can only SSH into a machine that lives on the subnet of the other Casper hosts (ex. you can only ssh into port 22 from 10.0.0x to 10.0.1.x or something like that)

Thanks everyone for any feedback you can provide.

2 REPLIES 2

Berrier
Contributor

I'm not a network guy, but I would expect the easiest way is via access-lists on your switches. Here's an example that blocks ssh in or out on van 101, but allows everything else.

access-list 101 deny tcp any 172.21.100.0 0.0.0.255 eq 22

access-list 101 permit ip any any

Then on your layer 3 SVI under the vlan interface apply it in or outbound

Interface vlan 101

ip address 172.21.100.1 255.255.255.0

ip access-group 101 in

ip access-group 101 out

Example copied from: https://supportforums.cisco.com/discussion/12565791/how-can-i-block-ssh-access-svi

I would build a config that blocks SSH on all the subnets except where you want it to be available.

Berrier
Contributor

I keep coming up with thoughts on this... The only gotcha I foresee is making sure you have an exception for your admin workstations so they can push policies and applications through casper remote. Also, Casper Remote's screen sharing relies on a SSH tunnel to the endpoint. You may want to look at just disallowing SSH out from the workstations depending on what your end-goal is. Whatever you decide to do, be sure to test well in a lab, because as always, your mileage may vary.