LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 04-22-2013, 08:04 AM   #1
sholter
LQ Newbie
 
Registered: Feb 2013
Posts: 2

Rep: Reputation: Disabled
Limiting user access to one server in domain


Hi everyone I've been trying to get an answer to this question. I need to limit external users access to one server in my domain. Anything I've read has been use the Allow/Deny users in sshd_config. I want them to be allowed to user server1, but not be able to ssh out to any other servers in the network. Any help would be greatly appreciated.
 
Old 04-22-2013, 08:26 AM   #2
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
The best thing to do is deny them access at the other hosts. This would be part of a proper security posture for those machines.
I think you are going to have trouble trying to deny per user, outbound, SSH capability for a couple of reasons, not the least of which is nothing is stopping them from running a local copy of the utility from their home space (BTW, they are not dependent upon the system binary). You could block all outbound traffic to destination port 22, but this could have other side effects and is also not guaranteed. Pretty much anything you do on this one server, is not going to be a substitute for proper configuration of the other servers.
 
1 members found this post helpful.
Old 04-22-2013, 08:30 AM   #3
sholter
LQ Newbie
 
Registered: Feb 2013
Posts: 2

Original Poster
Rep: Reputation: Disabled
Thanks Noway, That's what I thought might have to happen.
 
Old 04-22-2013, 08:35 AM   #4
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.5, Centos 5.10
Posts: 16,232

Rep: Reputation: 2024Reputation: 2024Reputation: 2024Reputation: 2024Reputation: 2024Reputation: 2024Reputation: 2024Reputation: 2024Reputation: 2024Reputation: 2024Reputation: 2024
You can try
Code:
-A OUTPUT -p tcp -m tcp --dport 22 -j DROP
ie at the firewall/iptables level.

However, I think we need more info, see the discussion here http://linux.livejournal.com/1855345.html?nojs=1
One of the things pointed out is that if the suers can copy sw onto the box, they can install their own copy of the ssh client and potentially ssh out to a different port than 22, unless that's not a problem in this case.

EDIT: too slow, beaten by Noway
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Questions about limiting client access to a postfix server. mysteron Linux - Server 1 08-31-2012 05:56 AM
domain users can't access samba shares on domain member server noahbeach Linux - Server 1 11-24-2010 05:16 AM
access limiting on web server alex2323 *BSD 3 11-03-2009 11:50 AM
domain user authentication for squid proxy server for internet access manabJyoti Linux - General 1 05-10-2008 09:08 AM
Limiting User Access atheist Linux - Security 4 05-05-2008 10:26 PM


All times are GMT -5. The time now is 06:05 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration