Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
|
10-01-2007, 05:45 PM
|
#1
|
Member
Registered: Aug 2004
Location: Washington
Distribution: RHEL
Posts: 174
Rep:
|
Locking down ssh
I have a requirement where a user should be allowed to ssh into a server and NOT be allowed to ssh or telnet out of the server.
Without having to uninstall these clients, how do I turn these clients off?
I also need to do this in Solaris, so if you know how, please share.
Chris
|
|
|
10-01-2007, 06:18 PM
|
#2
|
Senior Member
Registered: Dec 2005
Location: Massachusetts, USA
Distribution: Ubuntu 10.04 and CentOS 5.5
Posts: 3,873
|
This is basically an access control issue. Very often access control can be accomplished by using secondary user groups. I would do these steps on both machines. This will work on Linux and Solaris and any other *nix.
I would create a user group for each of the utilities. One user group called ssh and another user group called telnet.
Then I would change the ownership of each of these utilities so that root is the individual owner account and the user group matching the name of each utility is the group owner of the utility.
Then I would ensure that the permissions on each of these utilities is 750.
Then on the first machine I would add the ssh user group to the user account in question.
Now we have an environment where a user account has to be a member of the group that owns each of these utilities in order to use them. Since the user account on the first machine is a member of the ssh user group that user will be able to use the ssh utility. No user accounts are members of the telnet user group so no user will be able to use telnet. The user account on the second machine is not a member of the ssh or the telnet user groups so that user account will not be able to use either the ssh or the telnet utilities on the second machine. Naturally you have to add these user groups to all of the user accounts that need to access these utilities.
User groups are great for access control.
Last edited by stress_junkie; 10-01-2007 at 06:23 PM.
|
|
|
10-01-2007, 09:04 PM
|
#3
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Another option is to use iptables to prevent the user from starting outgoing connections. Example:
Code:
iptables -I OUTPUT -o eth0 -m owner --uid-owner win32sux \
-m state --state NEW -j REJECT
Last edited by win32sux; 10-01-2007 at 09:06 PM.
|
|
|
10-01-2007, 09:49 PM
|
#4
|
LQ Guru
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 10,870
|
Of the various solutions that have been offered, the most sensible one to me seems to be the one that's based on iptables, because the requirement that "a user should be allowed to ssh into a server and NOT be allowed to ssh or telnet out of the server" seems (to me...) to be a requirement that would most-easily be achieved by filtering the TCP/IP traffic, not (if indeed it were possible...) the applications involved.
If the TCP/IP packets associated with incoming SSH traffic were permitted, while those associated with outgoing traffic were blocked, the objective would be reached. "Q.E.D."
|
|
|
10-02-2007, 12:49 AM
|
#5
|
Member
Registered: Aug 2004
Location: Washington
Distribution: RHEL
Posts: 174
Original Poster
Rep:
|
Are there any changes in the configuraton files that can be done to turn off telnet & SSH clients?
Chris
|
|
|
10-02-2007, 09:40 AM
|
#6
|
Senior Member
Registered: Dec 2005
Location: Massachusetts, USA
Distribution: Ubuntu 10.04 and CentOS 5.5
Posts: 3,873
|
I don't understand how I read the original post to mean one thing and everyone else read it to mean something different. I thought that the original post asked how to create this restriction for a particular user account. Everybody else read it to mean that all users should have this restriction. Corrado's follow up question seems to indicate that the second interpretation was correct. I just don't get how this happened. Since this happens pretty frequently I think I'll stop coming here and wasting my time. I guess my understanding of English is different than everybody else's.
Last edited by stress_junkie; 10-02-2007 at 09:42 AM.
|
|
|
10-02-2007, 01:07 PM
|
#7
|
Member
Registered: Aug 2004
Location: Washington
Distribution: RHEL
Posts: 174
Original Poster
Rep:
|
I probably should have been more specific and stated that I was looking for a software client solution. I am very appreciative to all those who contribute.
Chris
|
|
|
10-02-2007, 06:51 PM
|
#8
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally Posted by stress_junkie
I thought that the original post asked how to create this restriction for a particular user account.
|
I did too. My example would only restrict win32sux. Other users wouldn't be affected by the rule.
|
|
|
10-02-2007, 07:06 PM
|
#9
|
LQ Guru
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733
|
Would restricting outgoing ssh connections prevent the use of scp or sftp?
|
|
|
10-02-2007, 08:35 PM
|
#10
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally Posted by jschiwal
Would restricting outgoing ssh connections prevent the use of scp or sftp?
|
Yes. But with iptables it's hard if one only wants to prevent outgoing SSH, while allowing other types of traffic for the user. I mean, filtering port 22 isn't an effective way to prevent SSH/SCP/SFTP usage, as SSH dameons can listen on any port. My example simply denies the user the ability to start any outgoing connections at all. If certain outbound access does indeed need to be allowed for the user, then one can add rules for that. But one needs to be extremely careful to not add a rule that would allow the user to use sneakiness to SSH somewhere. This would more than likely involve IP whitelisting in one way or another.
Last edited by win32sux; 10-02-2007 at 09:02 PM.
|
|
|
10-09-2007, 08:40 PM
|
#11
|
Member
Registered: Aug 2004
Location: Washington
Distribution: RHEL
Posts: 174
Original Poster
Rep:
|
Are there any changes in configuration files I could make on the client side, other than having to close ports or use iptables?
I believe there is such a way in server services. (/etc/xinit.d/telnet)
Chris
|
|
|
10-10-2007, 06:54 AM
|
#12
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally Posted by Corrado
Are there any changes in configuration files I could make on the client side, other than having to close ports or use iptables?
|
You can adjust the ownership scheme, as suggested by stress_junkie.
Quote:
I believe there is such a way in server services.
|
Yeah but client programs are a different matter.
Last edited by win32sux; 10-10-2007 at 08:46 AM.
|
|
|
10-12-2007, 02:00 AM
|
#13
|
Member
Registered: Aug 2004
Location: Washington
Distribution: RHEL
Posts: 174
Original Poster
Rep:
|
Security is telling me that telnet client has to be disabled.
I attempted to remove the telnet client
But I see that it still remains as
Why is this?
Will removing kerberos break everything?
Chris
|
|
|
10-17-2007, 01:09 AM
|
#14
|
Member
Registered: Aug 2004
Location: Washington
Distribution: RHEL
Posts: 174
Original Poster
Rep:
|
Anyone know the answer to the above? bump
|
|
|
10-18-2007, 01:40 PM
|
#15
|
Member
Registered: Oct 2007
Distribution: rhel, fedora, gentoo, ubuntu, freebsd
Posts: 104
Rep:
|
Quote:
Originally Posted by Corrado
Anyone know the answer to the above? bump
|
Kerberos may or may not be important, depending on your system setup.
If you're in an environment with kerberos (eg: authenticating against active directory), taking out kerberos will break everything. If you're standalone, then it should be harmless.
I'd recommend chmod 700'ing or 000'ing the telnet client in question and seeing if it breaks anything over a couple days. Ripping out the whole kerberos system over its telnet client sounds ... rash.
I'd also say check back with your security folks and ask what the heck they actually want to accomplish. Telnet's a simple protocol, and just about any socket app can be used as a telnet client (eg: nc). If the system has a compiler on it, people can put the source for a telnet/ssh client on it and build it for themselves. If they've got write access to their own home directories, they can put their own ssh clients on the system, even if they can't compile them.
In other words, restricting access to the binary is a relatively stupid solution that only complies with the letter, not the spirit of the policy. Restricting new outgoing connections (eg: with iptables), on the other hand, would comply with the spirit of the policy.
|
|
|
All times are GMT -5. The time now is 07:38 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|