Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hi,
I was wondering if there is a way to set what ports a user can open.
For instance, I have a user named moo.
He wants to run a game on port 1234, so I let him.
Then he starts running a ventrilo server on port 5590, and another game on port 1286, how would I stop this, and make it so he can only run a program that opens on port 1234?
Thanks,
-Michael.
Assuming only you have root access (in ubuntu that's via the sudo cmd), set your firewall (see iptables ; you might be able to do it through the gui ) to be default closed and only open ports you need.
So, would that allow him to open on port 1234, or everyone to open on 1234.
Also, what if I have a person who runs their game on port 4321, and he takes it, is that not allowed?
-Michael.
iptables only limits what ports are blocked/not blocked by the system, not per user.
Ports with nums <1024 can only be used by a root level process.
For higher nums, its first come first served.
The idea is that if you (as root) block all ports, the other users have to come to you to unblock the port, ie you can control who uses which port.
You can definitely do this from the cli & I'd expect Ubuntu to have a gui as well.
iptables only limits what ports are blocked/not blocked by the system, not per user.
Ports with nums <1024 can only be used by a root level process.
For higher nums, its first come first served.
The idea is that if you (as root) block all ports, the other users have to come to you to unblock the port, ie you can control who uses which port.
You can definitely do this from the cli & I'd expect Ubuntu to have a gui as well.
You'd still be unable to enforce which user is able to listen on which ports, though. What about doing this with SELinux? Or how about putting these users in virtualized environments and then do dedicated port-forwarding into each guest?
Hi,
When I did the command listed in number 6, it did give me something about user ids.
Maybe that can be used to block all except one port for a user?
If so, how might I apply it.
Also, I'm kind of new, so how do you find a user id?
I know it told me them when I created the user, but I don't remember it.
Thanks,
-Michael.
Hi,
When I did the command listed in number 6, it did give me something about user ids.
Maybe that can be used to block all except one port for a user?
If so, how might I apply it.
Also, I'm kind of new, so how do you find a user id?
I know it told me them when I created the user, but I don't remember it.
Thanks,
-Michael.
lilmike, that post was only meant to show chrism01 that some packets can be matched by the UID/GID of the local process that generated them. Doing so won't allow you to achieve the port listening limitations you seek, though.
FWIW, a UID can be found by looking at the account's line in /etc/passwd (UID and GID are the third and fourth fields, respectively).
Hi,
Ah, I see.
Is there perhaps another program that can do this?
Even if there is not, how can you close ports with iptables?
And would I have to open all the ports I wanted open.
E.G. 80 for webpage, 8080 for mail web access, 22 for ssh, 25 for mail, 110 for mail, all of those?
Then if I do, are there any ports that should be open, but that you would not necessarily need to directly configure, like 0 on windows, that it would be bad to close, but you may not know needs to be open.
Thanks,
-Michael.
Hi,
I think I found how to block ports.
But, will this make all my currently set rules change.
E.G. I have two ip-addresses blocked, will this cause them to have their -j value changed, or remove them, or just do nothing to them.
Code:
iptables -P INPUT REJECT
Then do
Code:
iptables -A INPUT -p tcp --dport <port-to-block-here> -j ACCEPT
So, I think that's how you do it.
Thanks for all help given now and in the future,
-Michael.
Hi,
Ah, I see.
Is there perhaps another program that can do this?
Even if there is not, how can you close ports with iptables?
And would I have to open all the ports I wanted open.
One of the many things you can do with iptables is filter packets based on port numbers. This isn't the same as opening and closing ports. A port is open when a process listens on it, and it is closed when a process isn't listening on it.
Quote:
E.G. 80 for webpage, 8080 for mail web access, 22 for ssh, 25 for mail, 110 for mail, all of those?
Then if I do, are there any ports that should be open, but that you would not necessarily need to directly configure, like 0 on windows, that it would be bad to close, but you may not know needs to be open.
Thanks,
-Michael.
Yes, if you're setting up a firewall on a server, you can tell it which ports you want to be accessible on it. Conversely, if you're setting up a firewall on a client, you can tell it which ports you want it to be able to access on other hosts.
Quote:
Originally Posted by lilmike
Hi,
I think I found how to block ports.
But, will this make all my currently set rules change.
E.G. I have two ip-addresses blocked, will this cause them to have their -j value changed, or remove them, or just do nothing to them.
Code:
iptables -P INPUT REJECT
Then do
Code:
iptables -A INPUT -p tcp --dport <port-to-block-here> -j ACCEPT
So, I think that's how you do it.
Thanks for all help given now and in the future,
-Michael.
No, in that example you're actually allowing access to one TCP port on the host, while denying access to everything else. This is at best indirectly related to your original question, and it would be very dangerous for you to play around with firewall rules before understanding them. A good place to start is this tutorial.
I didn't mean the user thing the way it came across. Sorry. what I meant was that as root you can (should) set INPUT as having a default DROP policy
iptables -P INPUT DROP
then explicitly only allow/open ports you need(!). If you are the only root user, then anyone who wants another port opened will have to come to you and ask.
Even if a user runs a prog to bind to another port, if you've blocked it in iptables, it'll be unusable.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.