[Gllug] Limiting SSH access
Mark Lowes
hamster at korenwolf.net
Thu Apr 3 08:39:17 UTC 2003
On Thu, 2003-04-03 at 08:31, French, Alastair wrote:
> Hi all
>
> We have linux box inside our Lan (the rest is running NT/2K) with ssh
> enabled for external access. Is there a way that we can restrict anyone
> ssh'ing to that machine so that they cannot gain access to any other part of
> the network?
The only thing I can think of is that you put all those users into a
group which cannot run any programs other than those you have explicitly
specified. You can't deny 'network access' as such because you've then
instantly blocked them from using the network to gain access to the
machine itself.
As a general rule allowing external users into the secure network from
the outside is a _bad_ idea.
If you _cannot_ under any circumstances allow the possibility of
allowing external users on this machine access to the internal network I
would recommend two internal networks. So you have
RED: external network, insecure
DMZ: semi-secure, harden everything anyway
GREEN-1: internal network
GREEN-2: secure machines which need to allow external access
GREEN-2 allows the segregation of the 'not seen from the world' and the
'have to allow some external access but too sensitive for the DMZ'
--
Mark Lowes <hamster at korenwolf.net>
http://www.korenwolf.net/
--
Gllug mailing list - Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug
More information about the GLLUG
mailing list