Re: question about SSH / IPTABLES
On Thursday 23 January 2003 13.45, DEFFONTAINES Vincent wrote:
> You can
> 1. Remove the users access to the ssh program
> (eg change ownership and rights of /usr/bin/ssh and create a "ssh" group
> for allowed outgoing ssh users).
> 2. Mount /home, /tmp and any other place users might have write access on
> with the "noexec" switch, so they can only use binaries installed (and
> allowed to them) on the system.
Will this noexec thing really work? It was a while ago, but i read that you
could use something in /usr/lib or something to still be able
to execute in noexec directories? Is the bug gone?
Alex
>
> > -----Original Message-----
> > From: Iñaki Martínez [mailto:debian@euskal-linux.org]
> > Sent: Thursday 23 January 2003 13:18
> > To: Charl Matthee
> > Cc: debian-security@lists.debian.org
> > Subject: Re: question about SSH / IPTABLES
> >
> >
> > Kaixo Charl Matthee!!!
> >
> > > If you want to use iptables then allow incoming ssh
> >
> > requests from the
> >
> > > relevant hosts and disallow outgoing ssh request from the server:
> > >
> > > iptables -A OUTPUT -j REJECT -p tcp --destination-port 22
> >
> > But if the client jump to another port????
> >
> > $ ssh -p 25 remote_ip
> >
> >
> > I think there is no COMPLETE solution........
> >
> >
> > Thanks....
> >
> >
> >
> > --
> > To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> > with a subject of "unsubscribe". Trouble? Contact
> > listmaster@lists.debian.org
Reply to: