limit outgoing connections to certain users - Security

This is a discussion on limit outgoing connections to certain users - Security ; Hello, in our hospital we have companies that must connect to computers for support. We want to limit their access to certain machine, but we have the following problem. We can limit on the firewall to what machine they can ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: limit outgoing connections to certain users

  1. limit outgoing connections to certain users

    Hello,

    in our hospital we have companies that must connect to computers for
    support.
    We want to limit their access to certain machine, but we have the
    following problem.
    We can limit on the firewall to what machine they can connect, but
    when they are connected to this server via ssh there is no way to
    prevent them trying to connect to other machines.

    Is there a way to limit outgoing network trafic from a linux machine
    per user or, even better, is there a way to limit a outgoning
    connection depending from the place the ingoing ssh comes from ?

    Thanks
    Andreas

  2. Re: limit outgoing connections to certain users

    On 17 Apr, 07:09, amoroder wrote:
    > Hello,
    >
    > in our hospital we have companies that must connect to computers for
    > support.
    > We want to limit their access to certain machine, but we have the
    > following problem.
    > We can limit on the firewall to what machine they can connect, but
    > when they are connected to this server via ssh there is no way to
    > prevent them trying to connect to other machines.
    >
    > Is there a way to limit outgoing network trafic from a linux machine
    > per user or, even better, is there a way to limit a outgoning
    > connection depending from the place the ingoing ssh comes from ?
    >


    Not simply.

    The right way to do it would be to force key based (no password)
    logins and don't put the public key on machines they shouldn't access.

    Alternatively (but this is rather messy and if none done right easily
    subvertable):

    You could run identd on all the servers and create NIS maps for the
    allowed/not allowed users then block SSH access using TCP wrappers.

    HTH

    C.

  3. Re: limit outgoing connections to certain users

    amoroder wrote:
    > in our hospital we have companies that must connect to computers
    > for support. We want to limit their access to certain machine, but
    > we have the following problem. We can limit on the firewall to
    > what machine they can connect, but when they are connected to this
    > server via ssh there is no way to prevent them trying to connect to
    > other machines.
    >
    > Is there a way to limit outgoing network trafic from a linux
    > machine per user or, even better, is there a way to limit a
    > outgoning connection depending from the place the ingoing ssh comes
    > from ?


    Assuming they login as an identifiable user / group you can use the
    owner match in the OUTPUT table to limit access.

    From the man page

    owner
    This module attempts to match various characteristics of the
    packet creator, for locally-generated packets. It is only
    valid in the OUTPUT chain, and even this some packets (such as
    ICMP ping responses) may have no owner, and hence never match.

    --uid-owner userid
    Matches if the packet was created by a process with the
    given effective user id.

    --gid-owner groupid
    Matches if the packet was created by a process with the
    given effective group id.

    --pid-owner processid
    Matches if the packet was created by a process with the
    given process id. (Please note: This option requires
    kernel support that might not be available in official
    Linux kernel sources or Debian's packaged Linux kernel
    sources. And if support for this option is available
    for the specific Linux kernel source ver- sion, that
    support might not be enabled in the current Linux kernel
    binary.)

    --sid-owner sessionid
    Matches if the packet was created by a process in the
    given ses- sion group. (Please note: This option
    requires kernel support that might not be available in
    official Linux kernel sources or Debian's packaged Linux
    kernel sources. And if support for this option is
    available for the specific Linux kernel source ver-
    sion, that support might not be enabled in the current
    Linux kernel binary.)

    --cmd-owner name
    Matches if the packet was created by a process with the
    given command name. (Please note: This option requires
    kernel support that might not be available in official
    Linux kernel sources or Debian's packaged Linux kernel
    sources. And if support for this option is available
    for the specific Linux kernel source ver- sion, that
    support might not be enabled in the current Linux kernel
    binary.)

    NOTE: pid, sid and command matching are broken on SMP

    --
    Nick Craig-Wood -- http://www.craig-wood.com/nick

  4. Re: limit outgoing connections to certain users

    On 21 Apr, 13:59, "C." wrote:
    > On 17 Apr, 07:09, amoroder wrote:
    >
    > > Hello,

    >
    > > in our hospital we have companies that must connect to computers for
    > > support.
    > > We want to limit their access to certain machine, but we have the
    > > following problem.
    > > We can limit on the firewall to what machine they can connect, but
    > > when they are connected to this server via ssh there is no way to
    > > prevent them trying to connect to other machines.

    >
    > > Is there a way to limit outgoing network trafic from a linux machine
    > > per user or, even better, is there a way to limit a outgoning
    > > connection depending from the place the ingoing ssh comes from ?

    >
    > Not simply.
    >
    > The right way to do it would be to force key based (no password)
    > logins and don't put the public key on machines they shouldn't access.
    >
    > Alternatively (but this is rather messy and if none done right easily
    > subvertable):
    >
    > You could run identd on all the servers and create NIS maps for the
    > allowed/not allowed users then block SSH access using TCP wrappers.
    >
    > HTH
    >
    > C.


    On reflection, a better way would be to use the AllowGroups ssh config
    directive and setup groups for each machine (or groups of machines).
    But that enforces what credentials they supply to the target machine -
    not what credentials they have at the client end.

    C.

+ Reply to Thread