Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I want to give about 30 users to some people I don't trust at all on my server . I want them to be able to use their account with SSH for tunneling . They must not be able to see what's going on inside the server or executing commands . I thought of "chmod o-xr -R /" but I think It's not a good option, since other programs must be able to see somethings . any suggestions ? I saw something like "bash=/bin/null" somewhere a long time ago but I don't remember what was it and can't find it anymore
need clarity on what you mean by "ssh tunneling". do you mean tunneling of applications, or just the ssh session is "tunneled" because its encrypted? what exactly do you mean by "they must not be abole to see what going on inside the server"? they cant run top or vmstat ?? if the system is in good perms shape then there shouldnt be a issue, etc. do you run SElinux?
no need to get overly complicated.
create groups, allow only those groups to ssh (lock down ssh via sshd_config, etc).
then configure sudo to allow those groups to do certain things, etc.
i chmod 700 su so only my sysadmins can sudo su, etc.
many internet websites are filtered in Iran and we can't visit them . we used VPNs ( PPTP, IPSec, etc ) to access internet of offshore servers, but now even VPN ports are blocked . ssh is seeming very nice now, this command "ssh -D 1234 -C user@myserver" and setting system proxy to 127.0.0.1:1234 allows me to surf the web now, but giving away user accounts to others is not a good idea . some issues here are disk space, bandwidth and security problems . I set other users default bash to this script :
#!/bin/sh
read -p "Some prompt"
exit
so now people can't use bash, but I'm not sure if It's enough to avoid disasters . I want them to be able to use tunneling only, nothing else
sorry for my poor English, I just can't find words to describe my problem
many internet websites are filtered in Iran and we can't visit them . we used VPNs ( PPTP, IPSec, etc ) to access internet of offshore servers, but now even VPN ports are blocked
Unfortunately, this topic goes against rule 14 in that it is a topic that can be damaging to LQ's reputation. Regardless of how sympathetic we may be to your cause, topics involving circumventing government restrictions are not permitted. This thread has been reported to the moderators.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.