[Gllug] Limiting SSH access
Richard W.M. Jones
rich at annexia.org
Thu Apr 3 10:55:06 UTC 2003
On Thu, Apr 03, 2003 at 08:31:53AM +0100, French, Alastair wrote:
> Hi all
>
> We have linux box inside our Lan (the rest is running NT/2K) with ssh
> enabled for external access. Is there a way that we can restrict anyone
> ssh'ing to that machine so that they cannot gain access to any other part of
> the network?
We had a similar problem. At an old old company I used to work for
we wanted to provide shell account access to Internet users. We
also wanted to prevent them from making outward connections from
those shell accounts.
It's quite difficult to solve this problem effectively. It depends on
the nature of your users and the level of threat you are willing to
put up with.
A simple solution involves:
(a) Put an anal firewall on *outgoing* connections.
(b) Make sure no one on the machine can get to root.
(c) Remove any unnecessary packages, ie. anything which isn't
absolutely necessary for the users to get their work done.
(d) Keep up to date with security fixes! (esp. local root exploits)
A more complex solution (which would allow users to be root in the
shell account) would be to have a separate firewall to create a
small DMZ:
+------------+ +------------+ +------------+
---| existing |-------| new |-------| shell |
| firewall | | firewall | | account |
+------------+ +------------+ +------------+
--- allow ssh --->
<-- deny all ----
If you don't want to spare a separate box then you could do something
with user-mode linux, but the design on user-mode linux doesn't strike
me as being secure enough [it looks to me like it allows you to overwrite
parts of the kernel?]
Rich.
--
Richard Jones, Red Hat Inc. (London office, UK) http://www.redhat.com/
http://www.annexia.org/ Freshmeat projects: http://freshmeat.net/users/rwmj
MAKE+ is a sane replacement for GNU autoconf/automake. One script compiles,
RPMs, pkgs etc. Linux, BSD, Solaris. http://www.annexia.org/freeware/makeplus/
--
Gllug mailing list - Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug
More information about the GLLUG
mailing list