[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: question about SSH / IPTABLES

Hi,

DEFFONTAINES Vincent wrote:
> 
> 1. Remove the users access to the ssh program
> (eg change ownership and rights of /usr/bin/ssh and create a "ssh" group for
> allowed outgoing ssh users).
> 2. Mount /home, /tmp and any other place users might have write access on
> with the "noexec" switch, so they can only use binaries installed (and
> allowed to them) on the system.

no:

debian:~# /usr/local/bin/ssh -V
ssh: SSH Secure Shell 3.0.1 (non-commercial version) on
i586-pc-linux-gnu
debian:~# cp /usr/local/bin/ssh /tmp/ssh          
debian:~# chmod -x /tmp/ssh
debian:~# /tmp/ssh -V
su: /tmp/ssh: Permission denied
debian:~# /lib/ld-linux.so.2 /tmp/ssh -V
ssh: SSH Secure Shell 3.0.1 (non-commercial version) on
i586-pc-linux-gnu

You can chroot the user and give him only some specific binarys, so that
the user is not anymore able to execute his own code. Then he can't ssh
anymore.

The other way is via network.
You can deny network usage for the user, for all ports or only for
specific ports.

Is there any packet filter, which can block only outgoing ssh-sessions?

Regards,
Ralf Dreibrodt

-- 
Mesos            Telefon 49 221 4855798-1
Eupener Str. 150 Fax     49 221 4855798-9
50933 Koeln      Mail    rd@mesos.de
Reply to: