Late Summary:question on security

From: <>
Date: Sun Nov 10 2002 - 20:30:57 EST

Sorry for the late summary. Thank you for all who gave their ideas:

Nico Weiland
Jesse Trucks
Drew Skinner
Jay Lessert
Charles Gagnon 
Eric Forgette 

All  of them gave different approach on how to do it. Some suggested the use
of  chroot, sudo, RBAC, ACLs, tcp wrappers, etc. But majority suggested the
use of a restricted shell , which is the most appropriate to my set up.

Nico Wieland and Jesse Trucks pointed me to a link which were very helpful.

To those who requested for the responses for this issue, i have pasted some
of the interesting responses below:

Nico Weiland:
i think it's a problematic setup - outside access into a private network -
but anyway :)

restricted shell access might be for you, have a look at this:

but be warned, i'd not consider it foolproof, and there have always been
some issues over the years, like this:


Eric Forgette:

	I've been planning on writing an anti-springboard script for a few
months now, I just haven't had time.  Here is a the approach I was going
to take.  The script would basically interrogate the output of "pfiles
/proc/*" every few minutes.  It would check the current outgoing network
connections against a list of uids forbidden to make connections.  If
found, it would log the event, berate the user, kill the process, and
log the user off of the server (or other nasty punishments).

Here is an example of what to look for:

14814:  telnet somehost
  Current rlimit: 256 file descriptors
   0: S_IFCHR mode:0620 dev:233,0 ino:285475 uid:166 gid:7 rdev:24,4
   1: S_IFCHR mode:0620 dev:233,0 ino:285475 uid:166 gid:7 rdev:24,4
   2: S_IFCHR mode:0620 dev:233,0 ino:285475 uid:166 gid:7 rdev:24,4
   3: S_IFCHR mode:0000 dev:233,0 ino:2124 uid:0 gid:0 rdev:41,97
   4: S_IFDOOR mode:0444 dev:274,0 ino:43168 uid:0 gid:0 size:0
      O_RDONLY|O_LARGEFILE FD_CLOEXEC  door to nscd[703]
   5: S_IFSOCK mode:0666 dev:269,0 ino:2312 uid:0 gid:0 size:0
        sockname: AF_INET  port: 10992
        peername: AF_INET  port: 23

File handle #5 shows a network connection from to on port 23 (telnet).  Of course the command string tells
you its telnet, however a crafty user could simply copy telnet to their
home directory and name it happyscript.  Then if you just look for
telnet, you'll miss his illegal connection.

A quick ls -ld /proc/14814 will show you who is executing the command.

I hope this gives you a starting place.


Drew Skinner:

Turn off telnet and/or ssh in the other machines in the office. If you need
to have
connectivity to them I suggest you plug in a terminal concentrator (such as
a Lightwave)
and you can have additional layers of security there.

The machine the supplier will be connecting to will (by default) have either
ssh or
telnet turned on - the best you can do is turn it off on the other machines
or, if you
really want to spend some time with security, the other option would be to
using tcp wrappers to deny the machine with 'outside' access, access to
anything else.


The information transmitted through this mail is intended solely for the
addressee and may be legally privileged. Any disclosure, copying,
dissemination or any action taken or omitted, to be taken in reliance on it,
by persons or entities other than the intended recipient is prohibited. 
Smart Communications, Inc.
sunmanagers mailing list
Received on Sun Nov 10 20:36:24 2002

This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:42:57 EST