Help answer threads with 0 replies.
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 04-22-2013, 08:04 AM   #1
LQ Newbie
Registered: Feb 2013
Posts: 2

Rep: Reputation: Disabled
Limiting user access to one server in domain

Hi everyone I've been trying to get an answer to this question. I need to limit external users access to one server in my domain. Anything I've read has been use the Allow/Deny users in sshd_config. I want them to be allowed to user server1, but not be able to ssh out to any other servers in the network. Any help would be greatly appreciated.
Old 04-22-2013, 08:26 AM   #2
Senior Member
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 778Reputation: 778Reputation: 778Reputation: 778Reputation: 778Reputation: 778Reputation: 778
The best thing to do is deny them access at the other hosts. This would be part of a proper security posture for those machines.
I think you are going to have trouble trying to deny per user, outbound, SSH capability for a couple of reasons, not the least of which is nothing is stopping them from running a local copy of the utility from their home space (BTW, they are not dependent upon the system binary). You could block all outbound traffic to destination port 22, but this could have other side effects and is also not guaranteed. Pretty much anything you do on this one server, is not going to be a substitute for proper configuration of the other servers.
1 members found this post helpful.
Old 04-22-2013, 08:30 AM   #3
LQ Newbie
Registered: Feb 2013
Posts: 2

Original Poster
Rep: Reputation: Disabled
Thanks Noway, That's what I thought might have to happen.
Old 04-22-2013, 08:35 AM   #4
LQ Guru
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.9, Centos 7.3
Posts: 17,396

Rep: Reputation: 2395Reputation: 2395Reputation: 2395Reputation: 2395Reputation: 2395Reputation: 2395Reputation: 2395Reputation: 2395Reputation: 2395Reputation: 2395Reputation: 2395
You can try
-A OUTPUT -p tcp -m tcp --dport 22 -j DROP
ie at the firewall/iptables level.

However, I think we need more info, see the discussion here
One of the things pointed out is that if the suers can copy sw onto the box, they can install their own copy of the ssh client and potentially ssh out to a different port than 22, unless that's not a problem in this case.

EDIT: too slow, beaten by Noway


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Questions about limiting client access to a postfix server. mysteron Linux - Server 1 08-31-2012 05:56 AM
domain users can't access samba shares on domain member server noahbeach Linux - Server 1 11-24-2010 05:16 AM
access limiting on web server alex2323 *BSD 3 11-03-2009 11:50 AM
domain user authentication for squid proxy server for internet access manabJyoti Linux - General 1 05-10-2008 09:08 AM
Limiting User Access atheist Linux - Security 4 05-05-2008 10:26 PM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 08:27 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration