Posted on 01-12-2016 12:37 PM
Hello JAMF Nation,
Wondering how everyone here is limiting access to port 22 in their environment. We'd like to restrict it down the subnets where the management hosts and endpoints live, so I figured I would see how others are doing this (if at all) and see if there was any gotchas we haven't thought of yet. For example, how are your OS X firewalls configured? Any best practices to consider?
Ideally I'd like to limit things so you can only SSH into a machine that lives on the subnet of the other Casper hosts (ex. you can only ssh into port 22 from 10.0.0x to 10.0.1.x or something like that)
Thanks everyone for any feedback you can provide.
Posted on 01-12-2016 01:13 PM
I'm not a network guy, but I would expect the easiest way is via access-lists on your switches. Here's an example that blocks ssh in or out on van 101, but allows everything else.
access-list 101 deny tcp any 172.21.100.0 0.0.0.255 eq 22
access-list 101 permit ip any any
Then on your layer 3 SVI under the vlan interface apply it in or outbound
Interface vlan 101
ip address 172.21.100.1 255.255.255.0
ip access-group 101 in
ip access-group 101 out
Example copied from: https://supportforums.cisco.com/discussion/12565791/how-can-i-block-ssh-access-svi
I would build a config that blocks SSH on all the subnets except where you want it to be available.
Posted on 01-12-2016 01:17 PM
I keep coming up with thoughts on this... The only gotcha I foresee is making sure you have an exception for your admin workstations so they can push policies and applications through casper remote. Also, Casper Remote's screen sharing relies on a SSH tunnel to the endpoint. You may want to look at just disallowing SSH out from the workstations depending on what your end-goal is. Whatever you decide to do, be sure to test well in a lab, because as always, your mileage may vary.