Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
08-03-2007, 05:27 AM
|
#1
|
Member
Registered: Feb 2007
Location: Bangalore, India
Distribution: Fedore Core 6
Posts: 41
Rep:
|
User based ip filtering?
Hello All,
I wonder is it possible to perform a user based ip filtering in a proxy server. For example,
P->Proxy server
A->Server in Network 1
B1->Server in Network 2
B2->Server in Network 2
....
B1000->Server in Network 2
A->P->B1
I want to allow ssh connections only to the user "bala@B1" from "linux@A" and not for "kris@B1" from "linux@A". So this is basically binding user based access with ip filtering.
Can this be done using a proxy? Instead of using any setting on server B like PAM or ssh deny.
I knew that in iptable I can write a rule to allow or deny based on ip address. I want to know is there any way to provide this from a gateway server.
Please let me know if you need further information on this
Thanks.
|
|
|
08-03-2007, 05:35 AM
|
#2
|
Senior Member
Registered: Sep 2005
Location: France
Distribution: approximately NixOS (http://nixos.org)
Posts: 1,900
Rep:
|
I think it is not possible (and it mustn't be possible in this way). SSH is called secure because it is encrypted. All that proxy can know is that it relays data from one box to another using TCP ports this-and-that. User name in ssh session is just a piece of data that is transmitted after establishing secure (encrypted) connection. Proxy that gets it out of stream means proxy that breaks encryption. And ssh protocol version 2 is still considered to be secure.
|
|
|
08-03-2007, 06:14 AM
|
#3
|
Member
Registered: Feb 2007
Location: Bangalore, India
Distribution: Fedore Core 6
Posts: 41
Original Poster
Rep:
|
oh ...But I dont want to establish a SSH connection if I find that user name is not the one I wanted to allow. If you could give me some links which talks about his requirement then it would be gr8. I am ready to modify either SSH source code or iptables/proxy to acheive this. Please let me know I need to achieve this by some way.
Thanks.
|
|
|
08-03-2007, 06:25 AM
|
#4
|
Senior Member
Registered: Sep 2005
Location: France
Distribution: approximately NixOS (http://nixos.org)
Posts: 1,900
Rep:
|
What of the boxes A,B and P are under your control? Do you need to still enable all features of SSH? Do you really need to distinguish target users (on B) or is it enough just to forbid SSH to some users on A? You can disable NAT on proxy, so that the only way to get from A to B is through really proxying. Password-protect your proxy and store password on A in the place that is accessible only by root. Then write a script that will add an option with correct password (taken from secret file) to its own option list and run ssh if it finds user@host string acceptable or if it is run by "good" user. Allow "good" users to use sudo on this script.
|
|
|
08-03-2007, 06:41 AM
|
#5
|
Member
Registered: Feb 2007
Location: Bangalore, India
Distribution: Fedore Core 6
Posts: 41
Original Poster
Rep:
|
Sorry. I didnt understand it well.
For the example, I have taken it as SSH. It may be any service like ftp,telnet and so on. I have the control on all the three machines in a test environment. The software that I looking for is to provide user based access on B servers. I want to take the complete control in P itself. I will intern configure A server to use P as a prosy server for SSH or for anything that it needs to connect to B servers. Actually I need to have control based on users at both the ends ie. in A and B. This can be acheived through PAM settings on B servers. But instead of controlling through individual servers...I need a centralized way thats why we thought of implementing a software on proxy to take care of this control.
THanks.
|
|
|
08-03-2007, 07:12 AM
|
#6
|
Senior Member
Registered: Sep 2005
Location: France
Distribution: approximately NixOS (http://nixos.org)
Posts: 1,900
Rep:
|
As long as P has already let A and B establish ssh connection it can not see any of its content. User name will come into play later.
Maybe you can do it if P is a password-protected proxy, and to get a password you need to submit command you want to run. Surely, if users can submit command theirselves, they can cheat and run a bit different command later, so you need to have a sudo script that will submit a command to checking service on P and will run exactly this command with correct proxy password if checker agrees. Also you need to include some password just when submitting, but you can store it in a file readable only by root.
|
|
|
08-03-2007, 08:23 AM
|
#7
|
Member
Registered: Feb 2007
Location: Bangalore, India
Distribution: Fedore Core 6
Posts: 41
Original Poster
Rep:
|
I need not to worry about the command that he is running....because i have modified bash such that it will allow only limited commands. So i will give my restricted shell to the user who logs in....the thing is i need to have time based and ip based access. Even i can handle this from modified shell. But if it is possible to restrict from proxy level then that would solve our prblm easily.....
Anyway, thanx for ur help.
I am sure I will get this done in few days...Im looking for some softwares and will modify them to achieve my requirement.
If you find some method to do this plz let me know.
Some try with LDAP on proxy machine is also being done to achieve this.
Lets see whether LDAP suits or not....
THanks
|
|
|
08-03-2007, 03:23 PM
|
#8
|
Senior Member
Registered: Sep 2005
Location: France
Distribution: approximately NixOS (http://nixos.org)
Posts: 1,900
Rep:
|
Proxy cannot extract information about source and target users (on A and on B) from an SSH data connection. But both of them are known to ssh program. So the only reasonable way to keep decision-making on proxy server is to make ssh program on A (itself or with help of a script) consult with a special decision-making permission server on P.
Edit: I think that there is no widespread program for this as I think that it is some (notable though not deadly yet) hit for the very idea of ssh.
Last edited by raskin; 08-03-2007 at 03:24 PM.
|
|
|
08-05-2007, 11:31 PM
|
#9
|
Member
Registered: Feb 2007
Location: Bangalore, India
Distribution: Fedore Core 6
Posts: 41
Original Poster
Rep:
|
In the example whatever I showed you.....server A may be more than 100 servers and B is more than 500 servers... Imagine writing a scripts on these client side will lead into unwanted head ache later... So im looking for some centralized control approach to handle this problem. If there is nothing found out, the we have planned to use PAM on all 500 B servers to control it effectively.
Thanks...
|
|
|
08-06-2007, 01:13 AM
|
#10
|
Senior Member
Registered: Sep 2005
Location: France
Distribution: approximately NixOS (http://nixos.org)
Posts: 1,900
Rep:
|
Well, I understood that you were ready to modify even ssh. Surely if you have that many boxes you need to have some centralized deployment. What is sure that there is no way to filter by user names on A unless ssh (or its wrapper) give it away (in a non-standard way - it doesn't by default); and the only two hosts that can filter by B user names are A and B (they may ask P in the process).
|
|
|
08-06-2007, 01:29 AM
|
#11
|
Member
Registered: Feb 2007
Location: Bangalore, India
Distribution: Fedore Core 6
Posts: 41
Original Poster
Rep:
|
http://www.nufw.org/
Please look at the above link. Im currently looking into this tool. It seems to help me a bit. If you have some ideas plz let me know.
|
|
|
08-06-2007, 01:48 AM
|
#12
|
Senior Member
Registered: Sep 2005
Location: France
Distribution: approximately NixOS (http://nixos.org)
Posts: 1,900
Rep:
|
Looks good.. It is probably a good solution to disclose user names on host A to filtering software. And if you also store PAM configurations for B on P, you will have all the settings centralized. You will probably need to add nuaclgen entries to cron for time-based policy changes.
|
|
|
08-06-2007, 01:53 AM
|
#13
|
Member
Registered: Feb 2007
Location: Bangalore, India
Distribution: Fedore Core 6
Posts: 41
Original Poster
Rep:
|
Yes it is....For time based policy changes....planned to provide an user interface on P..so that only admins can login and change the policy.....just started to look into that tool....i think this is a gr8 tool to help me....
Last edited by Balakrishnan84; 08-06-2007 at 01:59 AM.
|
|
|
All times are GMT -5. The time now is 11:37 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|