Re: question about SSH / IPTABLES
Hi,
DEFFONTAINES Vincent wrote:
>
> 1. Remove the users access to the ssh program
> (eg change ownership and rights of /usr/bin/ssh and create a "ssh" group for
> allowed outgoing ssh users).
> 2. Mount /home, /tmp and any other place users might have write access on
> with the "noexec" switch, so they can only use binaries installed (and
> allowed to them) on the system.
no:
debian:~# /usr/local/bin/ssh -V
ssh: SSH Secure Shell 3.0.1 (non-commercial version) on
i586-pc-linux-gnu
debian:~# cp /usr/local/bin/ssh /tmp/ssh
debian:~# chmod -x /tmp/ssh
debian:~# /tmp/ssh -V
su: /tmp/ssh: Permission denied
debian:~# /lib/ld-linux.so.2 /tmp/ssh -V
ssh: SSH Secure Shell 3.0.1 (non-commercial version) on
i586-pc-linux-gnu
You can chroot the user and give him only some specific binarys, so that
the user is not anymore able to execute his own code. Then he can't ssh
anymore.
The other way is via network.
You can deny network usage for the user, for all ports or only for
specific ports.
Is there any packet filter, which can block only outgoing ssh-sessions?
Regards,
Ralf Dreibrodt
--
Mesos Telefon 49 221 4855798-1
Eupener Str. 150 Fax 49 221 4855798-9
50933 Koeln Mail rd@mesos.de
Reply to: