Re: question about SSH / IPTABLES
DEFFONTAINES Vincent wrote:
> You can
> 1. Remove the users access to the ssh program
> (eg change ownership and rights of /usr/bin/ssh and create a "ssh" group for
> allowed outgoing ssh users).
> 2. Mount /home, /tmp and any other place users might have write access on
> with the "noexec" switch, so they can only use binaries installed (and
> allowed to them) on the system.
Daniel Kobras écrivait :
> 3. Kindly ask the users not to run '/lib/ld.so.1 /usr/bin/ssh' (or any
> executable they upload to /home, /tmp, or wherever).
4. Chroot them into a filesystem whithout any suid/sgid program
5. Put in this chroot jail only static binaries
But far more secure : apt-cache show kernel-patch-2.4-grsecurity
Regards, J.C.
--
Jean Christophe ANDRÉ <jean-christophe.andre@auf.org> http://www.vn.refer.org/
Coordonnateur technique régional / Associé principal technologie projet Reflets
Agence universitaire de la Francophonie (AuF) / Bureau Asie-Pacifique (BAP)
Adresse postale : AUF, 21 Lê Thánh Tông, T.T. Hoàn Kiếm, Hà Nội, Việt Nam
/ Note personnelle : merci d'évitez de m'envoyer des fichiers PowerPoint ou \
\ Word ; voir ici : http://www.fsf.org/philosophy/no-word-attachments.fr.html /
Reply to: