Re: Restrict SSH to local network only except for Git users?
On 2023-07-27, lain. wrote: > I have a pretty nifty network setup that allows me to host from home via > WireGuard. > But there's one thing I'm struggling with. > Because for security reasons, I made it impossible for people outside > the network to connect via SSH, but for Git to function properly, I need > to allow SSH only for git@(DOMAIN) or git@(PUBLIC IP), and redirect that > to my home network so they can do stuff like "git pull", "git push", and > all the other fancy stuff. > > My pf.conf rules look like this: >> pass in quick on wg0 proto tcp from 192.168.0.0/24 to any port 22 >> pass in on $externalinterface proto tcp from any to $externalip port 22 >> rdr-to $internalip >> block in quick on egress proto tcp from any to any port 22 if $externalinterface is the same as "egress" then I think the "block quick" may override the "pass" without quick. > And my sshd_config: >> AllowUsers lain@192.168.0.0/24 >> AllowUsers git@(DOMAIN) >> AllowUsers git@(PUBLIC IP) > > Where exactly am I doing wrong here? The AllowUsers lines need the source addresses not the destination. You might want something like "AllowUsers git@0.0.0.0/0". -- Please keep replies on the mailing list.
Re: Restrict SSH to local network only except for Git users?
I don't think this works when you're hosting a public Git service. I actually decided to just continue using the VPS that only ran Git. The reason why I wanted to internalize it was because the server was getting full, but it turned out that 1 repository by someone who only mirrors their repository and never logs in was singlehandedly occupying 80% of entire whole disk anyway, so I simply booted that repository off my server. On 2023年07月26日 20:44, Stephen Wiley wrote: > > You might consider keeping your repo in an web/http directory for pulling and > having your other users submit patches to you via eg email. That way you don't > need ssh exposed to the public internet at all. > That's how I have my self hosted git repos set up anyway. > > On Thu, Jul 27, 2023 at 09:24:56AM +0900, lain. wrote: > > I have a pretty nifty network setup that allows me to host from home via > > WireGuard. > > But there's one thing I'm struggling with. > > Because for security reasons, I made it impossible for people outside > > the network to connect via SSH, but for Git to function properly, I need > > to allow SSH only for git@(DOMAIN) or git@(PUBLIC IP), and redirect that > > to my home network so they can do stuff like "git pull", "git push", and > > all the other fancy stuff. > > > > My pf.conf rules look like this: > > > pass in quick on wg0 proto tcp from 192.168.0.0/24 to any port 22 > > > pass in on $externalinterface proto tcp from any to $externalip port 22 > > > rdr-to $internalip > > > block in quick on egress proto tcp from any to any port 22 > > > > And my sshd_config: > > > AllowUsers lain@192.168.0.0/24 > > > AllowUsers git@(DOMAIN) > > > AllowUsers git@(PUBLIC IP) > > > > Where exactly am I doing wrong here? > -- lain. Did you know that? 90% of all emails sent on a daily basis are being sent in plain text, and it's super easy to intercept emails as they flow over the internet? Never send passwords, tokens, personal information, or other volunerable information without proper PGP encryption! If you're writing your emails unencrypted, please consider sending PGP encrypted emails for security reasons. You can find my PGP public key at: https://fair.moe/lain.asc Every good email client is able to send encrypted emails. If yours can't, then you should consider switching to a secure email client, because yours just sucks. My recommendations are Claws Mail or NeoMutt. For instructions on how to encrypt your emails: https://unixsheikh.com/tutorials/gnupg-tutorial.html
Re: Restrict SSH to local network only except for Git users?
You might consider keeping your repo in an web/http directory for pulling and having your other users submit patches to you via eg email. That way you don't need ssh exposed to the public internet at all. That's how I have my self hosted git repos set up anyway. On Thu, Jul 27, 2023 at 09:24:56AM +0900, lain. wrote: > I have a pretty nifty network setup that allows me to host from home via > WireGuard. > But there's one thing I'm struggling with. > Because for security reasons, I made it impossible for people outside > the network to connect via SSH, but for Git to function properly, I need > to allow SSH only for git@(DOMAIN) or git@(PUBLIC IP), and redirect that > to my home network so they can do stuff like "git pull", "git push", and > all the other fancy stuff. > > My pf.conf rules look like this: > > pass in quick on wg0 proto tcp from 192.168.0.0/24 to any port 22 > > pass in on $externalinterface proto tcp from any to $externalip port 22 > > rdr-to $internalip > > block in quick on egress proto tcp from any to any port 22 > > And my sshd_config: > > AllowUsers lain@192.168.0.0/24 > > AllowUsers git@(DOMAIN) > > AllowUsers git@(PUBLIC IP) > > Where exactly am I doing wrong here?
Re: Restrict SSH to local network only except for Git users?
On Thu, Jul 27, 2023 at 10:28 AM lain. wrote: > > I have a pretty nifty network setup that allows me to host from home via > WireGuard. > But there's one thing I'm struggling with. > Because for security reasons, I made it impossible for people outside > the network to connect via SSH, but for Git to function properly, I need > to allow SSH only for git@(DOMAIN) or git@(PUBLIC IP), and redirect that > to my home network so they can do stuff like "git pull", "git push", and > all the other fancy stuff. > > My pf.conf rules look like this: > > pass in quick on wg0 proto tcp from 192.168.0.0/24 to any port 22 > > pass in on $externalinterface proto tcp from any to $externalip port 22 > > rdr-to $internalip > > block in quick on egress proto tcp from any to any port 22 > > And my sshd_config: > > AllowUsers lain@192.168.0.0/24 > > AllowUsers git@(DOMAIN) > > AllowUsers git@(PUBLIC IP) > > Where exactly am I doing wrong here? I suspect you're overthinking this. Rather than preventing access altogether, turn off password authentication and use SSH keys for authentication - for the git accounts, change the shell to git-shell if you haven't already. That way, bad faith actors can try all they want, they ain't gettin' in unless they get a hold of someone's key, and even if they do, it's likely a git key and the shell (barring any security vulns in git) will prevent them from doing anything not git related. -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Restrict SSH to local network only except for Git users?
I have a pretty nifty network setup that allows me to host from home via WireGuard. But there's one thing I'm struggling with. Because for security reasons, I made it impossible for people outside the network to connect via SSH, but for Git to function properly, I need to allow SSH only for git@(DOMAIN) or git@(PUBLIC IP), and redirect that to my home network so they can do stuff like "git pull", "git push", and all the other fancy stuff. My pf.conf rules look like this: > pass in quick on wg0 proto tcp from 192.168.0.0/24 to any port 22 > pass in on $externalinterface proto tcp from any to $externalip port 22 > rdr-to $internalip > block in quick on egress proto tcp from any to any port 22 And my sshd_config: > AllowUsers lain@192.168.0.0/24 > AllowUsers git@(DOMAIN) > AllowUsers git@(PUBLIC IP) Where exactly am I doing wrong here?
