LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 06-13-2003, 11:00 PM   #1
Shroom
LQ Newbie
 
Registered: Jun 2003
Posts: 5

Rep: Reputation: 0
Question preventing users to make outgoing connections


With the way the job market is, I had a bunch of free time to get a computer together and I am working on creating a free shell account community.

I don't want people to be able to make outgoing connections on my computer, because they like to do things that will get me in trouble.

A lot of shell providers block outgoing connections made by users who aren't supposed to, do they do it using iptables or something else? I can do it with iptables but I'd like to know how other people are doing what I'm trying to do.
 
Old 06-14-2003, 06:40 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,132
Blog Entries: 54

Rep: Reputation: 2790Reputation: 2790Reputation: 2790Reputation: 2790Reputation: 2790Reputation: 2790Reputation: 2790Reputation: 2790Reputation: 2790Reputation: 2790Reputation: 2790
Yes, you can do it with iptables. But what if iptables for some bizarre and unknown reason fails (don't say it won't happen)? Do you have a second line of defense, or will this be a single point of failure? Besides that, and I'm not about to spread FUD here, but parts of iptables are *still* considered Alpha quality. No one can predict a vulnerability within the Netfilter framework, but we've seen this twice already.

The most secure way I can propose is running a Grsecurity-patched kernel. Grsecurity has a lot of features you will want on a shellserver box to aid you defending your resources.
Some notable features:
- PAX mmap/stack and /dev/kmem protection against *some* forms of exploitation,
- /tmp race protection,
- deny creating (any|client|server) sockets per group of users,
- deny seeing processes outside own UID for any user,
- deny running binaries outside the trusted path (TPE) for a group
- fork protection for users with proper ulimits set,
- extensive auditing and logging
- ACL's on processes.

*If you think this is too much hassle (or features) wrt what you're trying to accomplish, then maybe it's time you evaluate again what you're trying to do... If you think this will be usefull but want some examples, just post a scenario for a typical user on your box and we'll try and whip up a case.
 
Old 06-14-2003, 06:48 AM   #3
Shroom
LQ Newbie
 
Registered: Jun 2003
Posts: 5

Original Poster
Rep: Reputation: 0
Thanks, that was really helpful. I'm definatly going to try Grsecurity, because the way I was doing it seemed not very secure to me.

 
Old 06-14-2003, 07:13 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,132
Blog Entries: 54

Rep: Reputation: 2790Reputation: 2790Reputation: 2790Reputation: 2790Reputation: 2790Reputation: 2790Reputation: 2790Reputation: 2790Reputation: 2790Reputation: 2790Reputation: 2790
Note this isn't *all* you have to do to secure your shellserver.
Please have a look at the Security references thread.

I invite you to post any other issues you have wrt securing the shellserver in this thread, the total Q&A when finished should make for a nice checklist and good reading for anyone trying to do the same...
 
Old 06-15-2003, 12:03 AM   #5
Shroom
LQ Newbie
 
Registered: Jun 2003
Posts: 5

Original Poster
Rep: Reputation: 0
Today I got the 2.4.21 kernel source and patched it with grsecurity 1.9.10 and then I went and installed gradm 1.9.10. The coolest thing I noticed without doing any hard work is the process list. As a regular user a lot of processes are not visible, and as root you can see it all. I included a snippet to show what I mean:

# ps -aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.6 480 408 ? S 21:17 0:03 init [3]
root 2 0.0 0.0 0 0 ? SW 21:17 0:00 [keventd]
root 3 0.0 0.0 0 0 ? SWN 21:17 0:02 [ksoftirqd_CP
root 4 0.0 0.0 0 0 ? SW 21:17 0:00 [kswapd]
root 5 0.0 0.0 0 0 ? SW 21:17 0:00 [bdflush]
root 6 0.0 0.0 0 0 ? SW 21:17 0:00 [kupdated]
root 9 0.0 0.0 0 0 ? SW 21:17 0:00 [khubd]
root 11 0.0 0.0 0 0 ? SW 21:17 0:00 [kreiserfsd]
.....
root 7279 0.0 3.7 2336 2260 pts/0 S 23:55 0:00 bash
root 27238 0.0 2.4 2732 1520 pts/0 R 23:57 0:00 ps aux

$ ps -aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
sam 32310 0.0 3.6 2344 2248 pts/0 S 21:18 0:00 -bash
sam 7677 0.0 2.4 2728 1516 pts/0 R 23:59 0:00 ps aux
 
Old 06-15-2003, 05:57 AM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,132
Blog Entries: 54

Rep: Reputation: 2790Reputation: 2790Reputation: 2790Reputation: 2790Reputation: 2790Reputation: 2790Reputation: 2790Reputation: 2790Reputation: 2790Reputation: 2790Reputation: 2790
Yes, neat, innit? :-]
Now have a look at the ACL's. Cummon. Make a few dirs "disappear". Good fun. If you want to commence along the "hardening your distro" path, then make /tmp or some /var/log/files disappear, and see how daemons react to that :-]

Also get aquainted with the audit and logging stuff. That could come in handy as well.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
SuSEfirewall - how to block outgoing connections dbraghi Linux - Security 4 04-02-2005 09:08 PM
firewall outgoing connections hotrodowner Linux - Security 2 02-22-2004 12:51 PM
Preventing users to bind server to ports 0-10000 Kostko Linux - Networking 0 08-27-2003 04:58 AM
outgoing connections DonMiner Linux - Networking 2 05-02-2003 09:51 AM
Spurious outgoing connections while browsing LQ the theorist LQ Suggestions & Feedback 1 05-24-2002 10:29 AM


All times are GMT -5. The time now is 02:38 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration