Re: question about SSH / IPTABLES

To: Alex <alexn@telia.com>
Cc: debian-security@lists.debian.org
Subject: Re: question about SSH / IPTABLES
From: Pedro Diaz Jimenez <lists@pdiaz.homeunix.net>
Date: Sun, 26 Jan 2003 14:54:27 +0100
Message-id: <[🔎] 200301261454.38868.lists@pdiaz.homeunix.net>
In-reply-to: <[🔎] 200301261150.h0QBo2c22003@d1o927.telia.com>
References: <[🔎] 51341B7FA34CD2119FA20008C7289B1C051C1C32@panoramix.coe.int> <[🔎] 200301261150.h0QBo2c22003@d1o927.telia.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

El Sunday 26 January 2003 12:49, Alex escribió:
> On Thursday 23 January 2003 13.45, DEFFONTAINES Vincent wrote:
> > You can
> > 1. Remove the users access to the ssh program
> > (eg change ownership and rights of /usr/bin/ssh and create a "ssh" group
> > for allowed outgoing ssh users).
> > 2. Mount /home, /tmp and any other place users might have write access on
> > with the "noexec" switch, so they can only use binaries installed (and
> > allowed to them) on the system.
>
> Will this noexec thing really work? It was a while ago, but i read that you
> could use something in /usr/lib or something to still be able
> to execute in noexec directories? Is the bug gone?

Not a bug.

duero:~# /lib/ld-2.2.5.so
Usage: ld.so [OPTION]... EXECUTABLE-FILE [ARGS-FOR-PROGRAM...]
You have invoked `ld.so', the helper program for shared library executables.
This program usually lives in the file `/lib/ld.so', and special directives
in executable files using ELF shared libraries tell the system's program
loader to load the helper program from this file.  This helper program loads
the shared libraries needed by the program executable, prepares the program
to run, and runs it.  You may invoke this helper program directly from the
command line to load and run an ELF executable file; this is like executing
that file itself, but always uses this helper program from the file you
specified, instead of the helper program file specified in the executable
file you run.  This is mostly of use for maintainers to test new versions
of this helper program; chances are you did not intend to run this program

So, even if /tmp is noexec, you still can do something like:
/lib/ld-whatever /tmp/program

BTW, I didn't read this thread entirently, but did anyone suggested the use of
iptables with UID match support?

Cheers
Pedro

>
> Alex
>
> > > -----Original Message-----
> > > From: Iñaki Martínez [mailto:debian@euskal-linux.org]
> > > Sent: Thursday 23 January 2003 13:18
> > > To: Charl Matthee
> > > Cc: debian-security@lists.debian.org
> > > Subject: Re: question about SSH / IPTABLES
> > >
> > >
> > > Kaixo Charl Matthee!!!
> > >
> > > > If you want to use iptables then allow incoming ssh
> > >
> > > requests from the
> > >
> > > > relevant hosts and disallow outgoing ssh request from the server:
> > > >
> > > > iptables -A OUTPUT -j REJECT -p tcp --destination-port 22
> > >
> > >  But if the client jump to another port????
> > >
> > >  $ ssh -p 25 remote_ip
> > >
> > >
> > >  I think there is no COMPLETE solution........
> > >
> > >
> > >  Thanks....
> > >
> > >
> > >
> > > --
> > > To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> > > with a subject of "unsubscribe". Trouble? Contact
> > > listmaster@lists.debian.org

- -- 
"Don't tell me I'm burning the candle at both ends -- tell me where to
get more wax!!"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE+M+idnu53feEYxlERArsDAJwL9RdIZ70bcLRRr5uTwSx2zjvxFwCgkIdG
O5p2jUo9VdeZ04J1CoJwGLY=
=L8ty
-----END PGP SIGNATURE-----

Reply to:

References:
- RE: question about SSH / IPTABLES
  - From: DEFFONTAINES Vincent <Vincent.DEFFONTAINES@coe.int>
- Re: question about SSH / IPTABLES
  - From: Alex <alexn@telia.com>

Prev by Date: Re: question about SSH / IPTABLES
Next by Date: Re: latest increase in the number of security advisories
Previous by thread: Re: question about SSH / IPTABLES
Next by thread: testestestestest
Index(es):
- Date
- Thread