LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 08-03-2007, 05:27 AM   #1
Balakrishnan84
Member
 
Registered: Feb 2007
Location: Bangalore, India
Distribution: Fedore Core 6
Posts: 41

Rep: Reputation: 15
User based ip filtering?


Hello All,
I wonder is it possible to perform a user based ip filtering in a proxy server. For example,
P->Proxy server
A->Server in Network 1
B1->Server in Network 2
B2->Server in Network 2
....
B1000->Server in Network 2

A->P->B1

I want to allow ssh connections only to the user "bala@B1" from "linux@A" and not for "kris@B1" from "linux@A". So this is basically binding user based access with ip filtering.
Can this be done using a proxy? Instead of using any setting on server B like PAM or ssh deny.
I knew that in iptable I can write a rule to allow or deny based on ip address. I want to know is there any way to provide this from a gateway server.
Please let me know if you need further information on this
Thanks.
 
Old 08-03-2007, 05:35 AM   #2
raskin
Senior Member
 
Registered: Sep 2005
Location: France
Distribution: approximately NixOS (http://nixos.org)
Posts: 1,900

Rep: Reputation: 69
I think it is not possible (and it mustn't be possible in this way). SSH is called secure because it is encrypted. All that proxy can know is that it relays data from one box to another using TCP ports this-and-that. User name in ssh session is just a piece of data that is transmitted after establishing secure (encrypted) connection. Proxy that gets it out of stream means proxy that breaks encryption. And ssh protocol version 2 is still considered to be secure.
 
Old 08-03-2007, 06:14 AM   #3
Balakrishnan84
Member
 
Registered: Feb 2007
Location: Bangalore, India
Distribution: Fedore Core 6
Posts: 41

Original Poster
Rep: Reputation: 15
oh ...But I dont want to establish a SSH connection if I find that user name is not the one I wanted to allow. If you could give me some links which talks about his requirement then it would be gr8. I am ready to modify either SSH source code or iptables/proxy to acheive this. Please let me know I need to achieve this by some way.
Thanks.
 
Old 08-03-2007, 06:25 AM   #4
raskin
Senior Member
 
Registered: Sep 2005
Location: France
Distribution: approximately NixOS (http://nixos.org)
Posts: 1,900

Rep: Reputation: 69
What of the boxes A,B and P are under your control? Do you need to still enable all features of SSH? Do you really need to distinguish target users (on B) or is it enough just to forbid SSH to some users on A? You can disable NAT on proxy, so that the only way to get from A to B is through really proxying. Password-protect your proxy and store password on A in the place that is accessible only by root. Then write a script that will add an option with correct password (taken from secret file) to its own option list and run ssh if it finds user@host string acceptable or if it is run by "good" user. Allow "good" users to use sudo on this script.
 
Old 08-03-2007, 06:41 AM   #5
Balakrishnan84
Member
 
Registered: Feb 2007
Location: Bangalore, India
Distribution: Fedore Core 6
Posts: 41

Original Poster
Rep: Reputation: 15
Sorry. I didnt understand it well.
For the example, I have taken it as SSH. It may be any service like ftp,telnet and so on. I have the control on all the three machines in a test environment. The software that I looking for is to provide user based access on B servers. I want to take the complete control in P itself. I will intern configure A server to use P as a prosy server for SSH or for anything that it needs to connect to B servers. Actually I need to have control based on users at both the ends ie. in A and B. This can be acheived through PAM settings on B servers. But instead of controlling through individual servers...I need a centralized way thats why we thought of implementing a software on proxy to take care of this control.
THanks.
 
Old 08-03-2007, 07:12 AM   #6
raskin
Senior Member
 
Registered: Sep 2005
Location: France
Distribution: approximately NixOS (http://nixos.org)
Posts: 1,900

Rep: Reputation: 69
As long as P has already let A and B establish ssh connection it can not see any of its content. User name will come into play later.

Maybe you can do it if P is a password-protected proxy, and to get a password you need to submit command you want to run. Surely, if users can submit command theirselves, they can cheat and run a bit different command later, so you need to have a sudo script that will submit a command to checking service on P and will run exactly this command with correct proxy password if checker agrees. Also you need to include some password just when submitting, but you can store it in a file readable only by root.
 
Old 08-03-2007, 08:23 AM   #7
Balakrishnan84
Member
 
Registered: Feb 2007
Location: Bangalore, India
Distribution: Fedore Core 6
Posts: 41

Original Poster
Rep: Reputation: 15
I need not to worry about the command that he is running....because i have modified bash such that it will allow only limited commands. So i will give my restricted shell to the user who logs in....the thing is i need to have time based and ip based access. Even i can handle this from modified shell. But if it is possible to restrict from proxy level then that would solve our prblm easily.....
Anyway, thanx for ur help.
I am sure I will get this done in few days...Im looking for some softwares and will modify them to achieve my requirement.
If you find some method to do this plz let me know.
Some try with LDAP on proxy machine is also being done to achieve this.
Lets see whether LDAP suits or not....
THanks
 
Old 08-03-2007, 03:23 PM   #8
raskin
Senior Member
 
Registered: Sep 2005
Location: France
Distribution: approximately NixOS (http://nixos.org)
Posts: 1,900

Rep: Reputation: 69
Proxy cannot extract information about source and target users (on A and on B) from an SSH data connection. But both of them are known to ssh program. So the only reasonable way to keep decision-making on proxy server is to make ssh program on A (itself or with help of a script) consult with a special decision-making permission server on P.

Edit: I think that there is no widespread program for this as I think that it is some (notable though not deadly yet) hit for the very idea of ssh.

Last edited by raskin; 08-03-2007 at 03:24 PM.
 
Old 08-05-2007, 11:31 PM   #9
Balakrishnan84
Member
 
Registered: Feb 2007
Location: Bangalore, India
Distribution: Fedore Core 6
Posts: 41

Original Poster
Rep: Reputation: 15
In the example whatever I showed you.....server A may be more than 100 servers and B is more than 500 servers... Imagine writing a scripts on these client side will lead into unwanted head ache later... So im looking for some centralized control approach to handle this problem. If there is nothing found out, the we have planned to use PAM on all 500 B servers to control it effectively.
Thanks...
 
Old 08-06-2007, 01:13 AM   #10
raskin
Senior Member
 
Registered: Sep 2005
Location: France
Distribution: approximately NixOS (http://nixos.org)
Posts: 1,900

Rep: Reputation: 69
Well, I understood that you were ready to modify even ssh. Surely if you have that many boxes you need to have some centralized deployment. What is sure that there is no way to filter by user names on A unless ssh (or its wrapper) give it away (in a non-standard way - it doesn't by default); and the only two hosts that can filter by B user names are A and B (they may ask P in the process).
 
Old 08-06-2007, 01:29 AM   #11
Balakrishnan84
Member
 
Registered: Feb 2007
Location: Bangalore, India
Distribution: Fedore Core 6
Posts: 41

Original Poster
Rep: Reputation: 15
http://www.nufw.org/
Please look at the above link. Im currently looking into this tool. It seems to help me a bit. If you have some ideas plz let me know.
 
Old 08-06-2007, 01:48 AM   #12
raskin
Senior Member
 
Registered: Sep 2005
Location: France
Distribution: approximately NixOS (http://nixos.org)
Posts: 1,900

Rep: Reputation: 69
Looks good.. It is probably a good solution to disclose user names on host A to filtering software. And if you also store PAM configurations for B on P, you will have all the settings centralized. You will probably need to add nuaclgen entries to cron for time-based policy changes.
 
Old 08-06-2007, 01:53 AM   #13
Balakrishnan84
Member
 
Registered: Feb 2007
Location: Bangalore, India
Distribution: Fedore Core 6
Posts: 41

Original Poster
Rep: Reputation: 15
Yes it is....For time based policy changes....planned to provide an user interface on P..so that only admins can login and change the policy.....just started to look into that tool....i think this is a gr8 tool to help me....

Last edited by Balakrishnan84; 08-06-2007 at 01:59 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
procmail filtering for nonexistant user juu801 Linux - Software 4 10-06-2006 07:33 PM
URL filtering by user babysnake Linux - Security 2 07-13-2006 01:27 AM
String based filtering jacobm Linux - Security 2 01-07-2006 06:48 AM
User based Authentication in Squid instead of Terminal based. TSK2000 Linux - Software 1 12-30-2005 02:22 AM
Spam filtering and user-specified mail processing wi-Z-art Linux - Software 0 08-18-2003 04:16 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 11:37 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration