Ubuntu: Allowing VNC only for specific MAC Address?



Question:

I just want to allow only for a specific MAC Address(es) to have VNC to my Ubuntu 12.10. This would be pretty cool, because I think if I use password authentication + MAC Filter = safe.

I saw I could filter for the IP´s, but how to do this for MAC´s? Any ideas or suggestions? Thank you


Solution:1

Actually that doesn't make it safer at all. MAC addresses can be configured ("spoofed") on most OSs for most NIC models. An attacker could sniff traffic and simply spoof your configured MAC address.

Instead make your VNC listen on loopback and SSH into the machine, using the SSH tunnel feature to connect to VNC.

If you insist on using your insecure method, iptables (netfilter) can do that:

iptables -I INPUT -m mac --mac-source 00:XX:YY:ZZ:AA:BB -j ACCEPT  

this rule added to a chain with the DROP (or REJECT) default policy would accept from the given MAC only. Can be combined further to check for other parameters as well. Basically I would hand it off to a different chain if I was you, checking first on the upper layers for connections to the relevant port(s) (5900?) and then do the MAC filtering. After all you only want to filter this single service to be available from this MAC only - not any service. If you are only interested in the MAC and the port do:

iptables -I INPUT -p tcp --destination-port 5900 -m mac --mac-source 00:XX:YY:ZZ:AA:BB -j ACCEPT  

Note: -m mac requires the module mac (for netfilter), so this has to be available.


I would only use such methods to delist myself from a blacklist. For example I have configured a tar pit for SSH connection attempts (similar to what sshguard and similar programs do). Just like port knocking it could make sense to use a certain MAC as a signal to delist (i.e. remove from the blacklist) the connecting IP. But as a security mechanism by itself, no way. Too easy to fake.


Note:If u also have question or solution just comment us below or mail us on toontricks1994@gmail.com
Previous
Next Post »