[Gllug] Limiting SSH access

Mark Lowes hamster at korenwolf.net
Thu Apr 3 08:39:17 UTC 2003


On Thu, 2003-04-03 at 08:31, French, Alastair wrote:
> Hi all
> 
> We have linux box inside our Lan (the rest is running NT/2K) with ssh
> enabled for external access. Is there a way that we can restrict anyone
> ssh'ing to that machine so that they cannot gain access to any other part of
> the network?

The only thing I can think of is that you put all those users into a
group which cannot run any programs other than those you have explicitly
specified.  You can't deny 'network access' as such because you've then
instantly blocked them from using the network to gain access to the
machine itself.  

As a general rule allowing external users into the secure network from
the outside is a _bad_ idea.

If you _cannot_ under any circumstances allow the possibility of
allowing external users on this machine access to the internal network I
would recommend two internal networks.  So you have

RED: external network, insecure

DMZ: semi-secure, harden everything anyway

GREEN-1: internal network

GREEN-2: secure machines which need to allow external access

GREEN-2 allows the segregation of the 'not seen from the world' and the
'have to allow some external access but too sensitive for the DMZ'


-- 
Mark Lowes <hamster at korenwolf.net>
http://www.korenwolf.net/


-- 
Gllug mailing list  -  Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug




More information about the GLLUG mailing list