Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
01-17-2007, 04:20 AM
|
#1
|
Member
Registered: Sep 2006
Location: Silesia
Distribution: Debian GNU/Linux 4.0, ArchLinux, OpenBSD
Posts: 190
Rep:
|
How to block sockets?
I've always wondered how to block sockets oon the system to some of the users. I mean it can be done by Bastille scripts, but I wonder is there any other way?
//----
I want something like this:
Code:
open socket: Operation not permitted
|
|
|
01-17-2007, 06:00 AM
|
#2
|
Moderator
Registered: May 2001
Posts: 29,415
|
I mean it can be done by Bastille scripts
Could you explain *what* Bastille Linux does to block users from opening sockets?
open socket: Operation not permitted
That's not very interesting IMHO, it's just a printf string. What's interesting is what causes it and if it can't be subverted.
is there any other way?
There's some ways, some more crude / elaborate than others:
- Iptables rules based on UID. Can't add "on demand" per-UID rules so it's crude IMO.
- Use 'lcap' to take away 'Linux capabilities' like CAP_NET_ADMIN or CAP_NET_BIND_SERVICE ("man capabilities"). Crude: no difference between root account and other users AFAIK :-] so breaks about everything.
- Dump user in a chroot and don't put network-capable apps (that includes Bash) in the chroot and don't allow users to compile, access or add network-capable applications.
- Use the GRSecurity kernel patch. Gain control over per-user tweaking knobs like who is allowed to use sockets, server sockets or client sockets and TPE (necessary for denying users to compile, access or add network-capable applications), can do finegrained access to apps (RBAC) and control 'Linux capabilities'.
- Use SELinux. More versatile compared and has steeper learning curve compared to GRSecurity. Deny users to transition to domain of network-capable applications. Could have some rules that affect networking using iptables but I'm not that far (yet).
|
|
|
01-17-2007, 07:15 AM
|
#3
|
Member
Registered: Sep 2006
Location: Silesia
Distribution: Debian GNU/Linux 4.0, ArchLinux, OpenBSD
Posts: 190
Original Poster
Rep:
|
Quote:
Originally Posted by unSpawn
I mean it can be done by Bastille scripts
Could you explain *what* Bastille Linux does to block users from opening sockets?
|
To be honest that's what I am really asking in this thread. How the beatiful Bastille script is doing such things ?
|
|
|
01-17-2007, 08:07 AM
|
#4
|
Moderator
Registered: May 2001
Posts: 29,415
|
To be honest that's what I am really asking in this thread.
No, you don't. Really.
If you thought you did, go learn how to phrase questions properly.
With all due respect and all that.
|
|
|
01-17-2007, 08:13 AM
|
#5
|
Senior Member
Registered: Sep 2005
Location: Out
Posts: 3,307
Rep:
|
Quote:
Originally Posted by avallach
How the beatiful Bastille script is doing such things ?
|
Never seen such a feature on Bastille. You have the bastille-firewall but I don't think it plays with UID.
You know that some applications communicate locally with others or even with themselves through socket?
Which means that some applications might not run anymore after such hardening.
|
|
|
01-17-2007, 01:38 PM
|
#6
|
Member
Registered: Sep 2006
Location: Silesia
Distribution: Debian GNU/Linux 4.0, ArchLinux, OpenBSD
Posts: 190
Original Poster
Rep:
|
Yes you're right, I've made one mistake. Bastille can block it for all users, excluding only root...
Quote:
You know that some applications communicate locally with others or even with themselves through socket?
Which means that some applications might not run anymore after such hardening.
|
Yeah, I know that as I said I wonder how Bastille did it...
Quote:
No, you don't. Really.
If you thought you did, go learn how to phrase questions properly.
|
My first question in the topic was: How to block sockets. Than I said that Bastille can do such a thing, so I meant that as a reason of using those scripts I have some of the sockets block... So I asked is there a way to block without using Bastille.
I am not a native english speaker so sometimes I have problems with saying what I really have on my mind.. So don't get too angry Still learning... so I will consider your suggestions and watch out when asking someone...
Last edited by avallach; 01-17-2007 at 01:42 PM.
|
|
|
01-17-2007, 05:28 PM
|
#7
|
Moderator
Registered: May 2001
Posts: 29,415
|
So don't get too angry
I apologise without reserve.
|
|
|
01-23-2007, 04:26 AM
|
#8
|
Member
Registered: Sep 2006
Location: Silesia
Distribution: Debian GNU/Linux 4.0, ArchLinux, OpenBSD
Posts: 190
Original Poster
Rep:
|
I choosed grsecurity patch... I have been using grsecurity anyway for some time, but I didn't spend too much time on configuring it in the kernel. Now I see that grsecurity can block a group with selected GID, or you can even choose to deny client or server sockets to some groups. This is enough for me.
Huge thanks !
|
|
|
All times are GMT -5. The time now is 08:36 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|