> > > Sent: Thursday 23 January 2003 13:18
> > > To: Charl Matthee
> > > Cc: debian-security@lists.debian.org
> > > Subject: Re: question about SSH / IPTABLES
> > >
> > >
> > > Kaixo Charl Matthee!!!
> > >
> > > > I
]
> > > Sent: Thursday 23 January 2003 13:18
> > > To: Charl Matthee
> > > Cc: [EMAIL PROTECTED]
> > > Subject: Re: question about SSH / IPTABLES
> > >
> > >
> > > Kaixo Charl Matthee!!!
> > >
> > > > If yo
execute in noexec directories? Is the bug gone?
Alex
>
> > -Original Message-
> > From: Iñaki Martínez [mailto:[EMAIL PROTECTED]
> > Sent: Thursday 23 January 2003 13:18
> > To: Charl Matthee
> > Cc: debian-security@lists.debian.org
> > Subject: R
execute in noexec directories? Is the bug gone?
Alex
>
> > -Original Message-
> > From: Iñaki Martínez [mailto:[EMAIL PROTECTED]]
> > Sent: Thursday 23 January 2003 13:18
> > To: Charl Matthee
> > Cc: [EMAIL PROTECTED]
> > Subject: Re: question abou
El Jue 23 Ene 2003 13:45, DEFFONTAINES Vincent escribió:
> 2. Mount /home, /tmp and any other place users might have write access on
> with the "noexec" switch, so they can only use binaries installed (and
> allowed to them) on the system.
Beware that noexec can be easily cheated:
<-->
ad
A simpler way would be use:
- The connection tracking abilities of the iptables.
For example DROP NEW connections from upper ports
(this way you are not going to have problems with stablished
conections as the ssh login into the machine)
OR:
- At TCP level, match flag like SYN to avoid sta
El Jue 23 Ene 2003 13:45, DEFFONTAINES Vincent escribió:
> 2. Mount /home, /tmp and any other place users might have write access on
> with the "noexec" switch, so they can only use binaries installed (and
> allowed to them) on the system.
Beware that noexec can be easily cheated:
<-->
ad
A simpler way would be use:
- The connection tracking abilities of the iptables.
For example DROP NEW connections from upper ports
(this way you are not going to have problems with stablished
conections as the ssh login into the machine)
OR:
- At TCP level, match flag like SYN to avoid sta
you may also try rbash as a shell type (in /etc/passwd), it is not super
secure, and people can still use their own binaries, but you can
restrict them to their own home directory and whatevers in their path.
Its lazy persons way out of doing chroots for all. more info in the man
for bash
VRT <--
you may also try rbash as a shell type (in /etc/passwd), it is not super
secure, and people can still use their own binaries, but you can
restrict them to their own home directory and whatevers in their path.
Its lazy persons way out of doing chroots for all. more info in the man
for bash
VRT <--
On Thu, 23 Jan 2003, Jean Christophe ANDRÉ wrote:
> But far more secure : apt-cache show kernel-patch-2.4-grsecurity
This is a real solution, but it takes quite a bit of effort to configure
things right. I investigated it some time ago but after a little bit of
fiddling I realized it would take a
On 2003/01/23 12:24:49PM +0100, Thu, I?aki Mart?nez wrote:
> Hi!!!
>
> I have a server in internet and i want several clients to access to it via
> SSH but i DON'T want they to be able to use SSH from that server.
>
> So i client can access the server via SSH, but s/he CAN NOT ssh to other
> se
Ralf Dreibrodt écrivait :
> Is there any packet filter, which can block only outgoing ssh-sessions?
One may use the "string" extension to iptables to match "SSH"? See there:
http://www.netfilter.org/documentation/pomlist/pom-extra.html#string
Regards, J.C.
On Thu, 23 Jan 2003 at 12:24:49PM +0100, I?aki Mart?nez wrote:
> Hi!!!
>
> I have a server in internet and i want several clients to access to it via
> SSH but i DON'T want they to be able to use SSH from that server.
>
> So i client can access the server via SSH, but s/he CAN NOT ssh to other
DEFFONTAINES Vincent wrote:
> You can
> 1. Remove the users access to the ssh program
> (eg change ownership and rights of /usr/bin/ssh and create a "ssh" group for
> allowed outgoing ssh users).
> 2. Mount /home, /tmp and any other place users might have write access on
> with the "noexec" switch,
On Thu, 23 Jan 2003, DEFFONTAINES Vincent wrote:
> 2. Mount /home, /tmp and any other place users might have write access on
> with the "noexec" switch, so they can only use binaries installed (and
> allowed to them) on the system.
Do that. Then try /lib/ld.so a_program_on_a_noexec_partition, and
>
> what if you have the no-port-forwarding in authorized_keys?
>
> Mike
I'm not not totally sure but I think it is only for forbidding changing the
port where to connect w/ ssh.
This option is sometimes used for tunneling others applications over SSH
or for passing trough NATs and FW afai
On Thu, 23 Jan 2003, Jean Christophe ANDRÉ wrote:
> But far more secure : apt-cache show kernel-patch-2.4-grsecurity
This is a real solution, but it takes quite a bit of effort to configure
things right. I investigated it some time ago but after a little bit of
fiddling I realized it would take a
On 2003/01/23 12:24:49PM +0100, Thu, I?aki Mart?nez wrote:
> Hi!!!
>
> I have a server in internet and i want several clients to access to it via
> SSH but i DON'T want they to be able to use SSH from that server.
>
> So i client can access the server via SSH, but s/he CAN NOT ssh to other
> se
Ralf Dreibrodt écrivait :
> Is there any packet filter, which can block only outgoing ssh-sessions?
One may use the "string" extension to iptables to match "SSH"? See there:
http://www.netfilter.org/documentation/pomlist/pom-extra.html#string
Regards, J.C.
--
To UNSUBSCRIBE, email to [EMAIL
* Quoting DEFFONTAINES Vincent ([EMAIL PROTECTED]):
> 2. Mount /home, /tmp and any other place users might have write access on
> with the "noexec" switch, so they can only use binaries installed (and
> allowed to them) on the system.
This does not prevent them from executing
binaries. This has b
>
> what if you have the no-port-forwarding in authorized_keys?
>
> Mike
I'm not not totally sure but I think it is only for forbidding changing the port where
to connect w/ ssh.
This option is sometimes used for tunneling others applications over SSH
or for passing trough NATs and FW afai
On Thu, 23 Jan 2003 at 12:24:49PM +0100, I?aki Mart?nez wrote:
> Hi!!!
>
> I have a server in internet and i want several clients to access to it via
> SSH but i DON'T want they to be able to use SSH from that server.
>
> So i client can access the server via SSH, but s/he CAN NOT ssh to other
On 23 Jan 2003, Stanislas Rusinsky wrote:
> in sshd_conf :
>
> AllowTcpForwarding no :
> Specifies whether TCP forwarding is permitted. The default
> is
> ``yes''. Note that disabling TCP forwarding does not improve security
> unless users are also denied shell access, as they
Hi,
DEFFONTAINES Vincent wrote:
>
> 1. Remove the users access to the ssh program
> (eg change ownership and rights of /usr/bin/ssh and create a "ssh" group for
> allowed outgoing ssh users).
> 2. Mount /home, /tmp and any other place users might have write access on
> with the "noexec" switch, s
On Thu, Jan 23, 2003 at 01:45:47PM +0100, DEFFONTAINES Vincent wrote:
> You can
> 1. Remove the users access to the ssh program
> (eg change ownership and rights of /usr/bin/ssh and create a "ssh" group for
> allowed outgoing ssh users).
> 2. Mount /home, /tmp and any other place users might have w
On Thu, 23 Jan 2003, DEFFONTAINES Vincent wrote:
> 2. Mount /home, /tmp and any other place users might have write access on
> with the "noexec" switch, so they can only use binaries installed (and
> allowed to them) on the system.
Do that. Then try /lib/ld.so a_program_on_a_noexec_partition, and
DEFFONTAINES Vincent wrote:
> You can
> 1. Remove the users access to the ssh program
> (eg change ownership and rights of /usr/bin/ssh and create a "ssh" group for
> allowed outgoing ssh users).
> 2. Mount /home, /tmp and any other place users might have write access on
> with the "noexec" switch,
> > If you want to use iptables then allow incoming ssh requests from the
> > relevant hosts and disallow outgoing ssh request from the server:
> >
> > iptables -A OUTPUT -j REJECT -p tcp --destination-port 22
>
> But if the client jump to another port
"GatewayPorts no" in sshd_config :
Sp
> > I have a server in internet and i want several clients to access to it via
> > SSH but i DON'T want they to be able to use SSH from that server.
> >
> > So i client can access the server via SSH, but s/he CAN NOT ssh to other
> > servers from my server...
>
in sshd_conf :
AllowTcpForwar
anuary 2003 13:18
> To: Charl Matthee
> Cc: debian-security@lists.debian.org
> Subject: Re: question about SSH / IPTABLES
>
>
> Kaixo Charl Matthee!!!
>
> > If you want to use iptables then allow incoming ssh
> requests from the
> > relevant hosts and disallow
On Thu Jan 23 2003 at 01:17:21PM +0100 'I?aki Mart?nez' <[EMAIL PROTECTED]>
wrote:
> But if the client jump to another port
That is the shortcoming of using this solution.
> I think there is no COMPLETE solution
If there is a rule there is generally some way around it ;) you need
* Quoting DEFFONTAINES Vincent ([EMAIL PROTECTED]):
> 2. Mount /home, /tmp and any other place users might have write access on
> with the "noexec" switch, so they can only use binaries installed (and
> allowed to them) on the system.
This does not prevent them from executing
binaries. This has b
On 23 Jan 2003, Stanislas Rusinsky wrote:
> in sshd_conf :
>
> AllowTcpForwarding no :
> Specifies whether TCP forwarding is permitted. The default is
> ``yes''. Note that disabling TCP forwarding does not improve security
> unless users are also denied shell access, as they ca
Kaixo Charl Matthee!!!
> If you want to use iptables then allow incoming ssh requests from the
> relevant hosts and disallow outgoing ssh request from the server:
>
> iptables -A OUTPUT -j REJECT -p tcp --destination-port 22
But if the client jump to another port
$ ssh -p 25 remote_ip
On Thu, Jan 23, 2003 at 01:45:47PM +0100, DEFFONTAINES Vincent wrote:
> You can
> 1. Remove the users access to the ssh program
> (eg change ownership and rights of /usr/bin/ssh and create a "ssh" group for
> allowed outgoing ssh users).
> 2. Mount /home, /tmp and any other place users might have w
On Thu, Jan 23, 2003 at 12:24:49PM +0100, Iñaki Martínez wrote:
> Hi!!!
>
> I have a server in internet and i want several clients to access to it via
> SSH but i DON'T want they to be able to use SSH from that server.
>
> So i client can access the server via SSH, but s/he CAN NOT ssh to other
On Thu Jan 23 2003 at 12:24:49PM +0100 'I?aki Mart?nez' <[EMAIL PROTECTED]>
wrote:
> I have a server in internet and i want several clients to access to it via
> SSH but i DON'T want they to be able to use SSH from that server.
>
> So i client can access the server via SSH, but s/he CAN NOT ss
Hi,
Iñaki Martínez écrivait :
> I have a server in internet and i want several clients to access to it
> via SSH but i DON'T want they to be able to use SSH from that server.
> So i client can access the server via SSH, but s/he CAN NOT ssh to other
> servers from my server...
> How can
hi
I have a server in internet and i want several clients to access to it via
SSH but i DON'T want they to be able to use SSH from that server.
So i client can access the server via SSH, but s/he CAN NOT ssh to other
servers from my server...
easy way:
chmod 500 /usr/bin/ssh
regards
--
**
Hi,
DEFFONTAINES Vincent wrote:
>
> 1. Remove the users access to the ssh program
> (eg change ownership and rights of /usr/bin/ssh and create a "ssh" group for
> allowed outgoing ssh users).
> 2. Mount /home, /tmp and any other place users might have write access on
> with the "noexec" switch, s
On Thu, 2003-01-23 at 12:24, Iñaki Martínez wrote:
> I have a server in internet and i want several clients to access to it via
> SSH but i DON'T want them to be able to use SSH from that server.
> So i client can access the server via SSH, but s/he CAN NOT ssh to other
> servers from my server..
* Quoting Iñaki Martínez ([EMAIL PROTECTED]):
> So i client can access the server via SSH, but s/he CAN NOT ssh to other
> servers from my server...
>
> How can i do this
chmod o-x /usr/bin/ssh
- rk
--
"What sort of person," said Salzella patiently, "sits down and writes a
maniacal laug
> > If you want to use iptables then allow incoming ssh requests from the
> > relevant hosts and disallow outgoing ssh request from the server:
> >
> > iptables -A OUTPUT -j REJECT -p tcp --destination-port 22
>
> But if the client jump to another port
"GatewayPorts no" in sshd_config :
Sp
> > I have a server in internet and i want several clients to access to it via
> > SSH but i DON'T want they to be able to use SSH from that server.
> >
> > So i client can access the server via SSH, but s/he CAN NOT ssh to other
> > servers from my server...
>
in sshd_conf :
AllowTcpForwar
anuary 2003 13:18
> To: Charl Matthee
> Cc: [EMAIL PROTECTED]
> Subject: Re: question about SSH / IPTABLES
>
>
> Kaixo Charl Matthee!!!
>
> > If you want to use iptables then allow incoming ssh
> requests from the
> > relevant hosts and disallow outgoing ssh
On Thu Jan 23 2003 at 01:17:21PM +0100 'I?aki Mart?nez' <[EMAIL PROTECTED]>
wrote:
> But if the client jump to another port
That is the shortcoming of using this solution.
> I think there is no COMPLETE solution
If there is a rule there is generally some way around it ;) you need
Kaixo Charl Matthee!!!
> If you want to use iptables then allow incoming ssh requests from the
> relevant hosts and disallow outgoing ssh request from the server:
>
> iptables -A OUTPUT -j REJECT -p tcp --destination-port 22
But if the client jump to another port
$ ssh -p 25 remote_ip
On Thu, Jan 23, 2003 at 12:24:49PM +0100, Iñaki Martínez wrote:
> Hi!!!
>
> I have a server in internet and i want several clients to access to it via
> SSH but i DON'T want they to be able to use SSH from that server.
>
> So i client can access the server via SSH, but s/he CAN NOT ssh to other
On Thu Jan 23 2003 at 12:24:49PM +0100 'I?aki Mart?nez' <[EMAIL PROTECTED]>
wrote:
> I have a server in internet and i want several clients to access to it via
> SSH but i DON'T want they to be able to use SSH from that server.
>
> So i client can access the server via SSH, but s/he CAN NOT ss
Hi,
Iñaki MartÃnez écrivait :
> I have a server in internet and i want several clients to access to it
> via SSH but i DON'T want they to be able to use SSH from that server.
> So i client can access the server via SSH, but s/he CAN NOT ssh to other
> servers from my server...
> How
hi
I have a server in internet and i want several clients to access to it via
SSH but i DON'T want they to be able to use SSH from that server.
So i client can access the server via SSH, but s/he CAN NOT ssh to other
servers from my server...
easy way:
chmod 500 /usr/bin/ssh
regards
--
***
On Thu, 2003-01-23 at 12:24, Iñaki Martínez wrote:
> I have a server in internet and i want several clients to access to it via
> SSH but i DON'T want them to be able to use SSH from that server.
> So i client can access the server via SSH, but s/he CAN NOT ssh to other
> servers from my server..
* Quoting Iñaki Martínez ([EMAIL PROTECTED]):
> So i client can access the server via SSH, but s/he CAN NOT ssh to other
> servers from my server...
>
> How can i do this
chmod o-x /usr/bin/ssh
- rk
--
"What sort of person," said Salzella patiently, "sits down and writes a
maniacal laug
54 matches
Mail list logo
