LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 02-18-2004, 08:59 AM   #1
ErocM
LQ Newbie
 
Registered: Feb 2004
Posts: 1

Rep: Reputation: 0
Restricting SSH Access


I was wondering if there is a way to restrict access in ssh. More specifically I was wondering if I can prevent a user from going anywhere outside their home directory and "roaming" around where they shouldn't.

I tested this as a test user and I couldn't execute or view anything but I could change directories and list them wherever I pleased as long as it wasn't root access specific.

I don't want them changing directory out of their home directory at all...

Any ideas?

Thanks,
ErocM
 
Old 02-18-2004, 09:34 AM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
I think what you're looking for is called a chroot jail. Checkout the guide Markus1982 put together:

http://www.linuxquestions.org/questi...hreadid=140806

And this portion of unSpawn's Security References:
http://www.linuxquestions.org/questi...598#post222598

Hope that helps.
 
Old 02-18-2004, 06:58 PM   #3
VioLaToR
Member
 
Registered: Aug 2002
Distribution: ArchLinux 2007.08 / Slackware 11.0
Posts: 58

Rep: Reputation: 15
to restrict access, just use the /etc/hosts.allow and /etc/hosts.deny files.

simply place this in your hosts.deny file:

ALL:ALL

to keep out everyone.

then to allow only certain IP addresses to have access to a connection on your box, use the hosts.allow and add in entries like this:


ALL:127.0.0.1
ALL:192.168.0.
ALL:172.135.
ALL:65.


You should most likely have the 127.0.0.1 entry in there always. Just add in the IP addresses you trust. you can use the class A,B,C in the different examples like i did.

Now your box will check the hosts.allow for a matching rule first, then pass it to hosts.deny if there is nothing matching in the allow section. That means that the ALL:ALL entry will be checked AFTER your allowed IP addresses are checked.

I hope that will at least help you with the unwanted connections. As for the roaming around, i think capt caveman's ideas are good ideas.
 
Old 02-20-2004, 02:51 AM   #4
comp12345
Member
 
Registered: Feb 2004
Posts: 467

Rep: Reputation: 30
Quote:
Originally posted by VioLaToR
to restrict access, just use the /etc/hosts.allow and /etc/hosts.deny files.

simply place this in your hosts.deny file:

ALL:ALL

to keep out everyone.

then to allow only certain IP addresses to have access to a connection on your box, use the hosts.allow and add in entries like this:


ALL:127.0.0.1
ALL:192.168.0.
ALL:172.135.
ALL:65.


You should most likely have the 127.0.0.1 entry in there always. Just add in the IP addresses you trust. you can use the class A,B,C in the different examples like i did.

Now your box will check the hosts.allow for a matching rule first, then pass it to hosts.deny if there is nothing matching in the allow section. That means that the ALL:ALL entry will be checked AFTER your allowed IP addresses are checked.

I hope that will at least help you with the unwanted connections. As for the roaming around, i think capt caveman's ideas are good ideas.
You're trying to restrict login access to the machine. The OP is trying to restrict access to a user's home directory after they log in.
 
Old 02-20-2004, 11:52 AM   #5
VioLaToR
Member
 
Registered: Aug 2002
Distribution: ArchLinux 2007.08 / Slackware 11.0
Posts: 58

Rep: Reputation: 15
Quote:
Originally posted by comp12345
You're trying to restrict login access to the machine. The OP is trying to restrict access to a user's home directory after they log in.
that was why i said:

Quote:
As for the roaming around, i think capt caveman's ideas are good ideas.

I was giving some MORE ways to shut things out.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Restricting access Menestrel Linux - Newbie 1 06-07-2005 09:17 AM
Restricting SSH logins. bullium Linux - Security 3 05-10-2005 02:15 AM
Restricting SSH access by IP sooner5150 Linux - Security 3 11-18-2004 12:09 PM
restricting ssh users from certain programs/files nixel Linux - Security 5 05-13-2004 01:54 AM
restricting ssh macie Linux - Networking 1 12-10-2003 12:34 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:13 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration