Hi, Sorry for the late summary. Thank you for all who gave their ideas: Nico Weiland Jesse Trucks Drew Skinner Unix4me@aol.com Jay Lessert john65@pobox.com Charles Gagnon Eric Forgette marco.breedeveld ralzyoud@Collinder.net ron.spillane@agric.nsw.gov.au All of them gave different approach on how to do it. Some suggested the use of chroot, sudo, RBAC, ACLs, tcp wrappers, etc. But majority suggested the use of a restricted shell , which is the most appropriate to my set up. Nico Wieland and Jesse Trucks pointed me to a link which were very helpful. http://www.sunmanagers.org/pipermail/summaries/2001-March/000337.html http://www.netsys.com/sunmgr/1999-07/msg00101.html http://www.sunmanagers.org/pipermail/summaries/2002-June/003264.html To those who requested for the responses for this issue, i have pasted some of the interesting responses below: Nico Weiland: ======================== i think it's a problematic setup - outside access into a private network - but anyway :) restricted shell access might be for you, have a look at this: http://www.sunmanagers.org/pipermail/summaries/2001-March/000337.html but be warned, i'd not consider it foolproof, and there have always been some issues over the years, like this: http://online.securityfocus.com/bid/4547 ============== Eric Forgette: I've been planning on writing an anti-springboard script for a few months now, I just haven't had time. Here is a the approach I was going to take. The script would basically interrogate the output of "pfiles /proc/*" every few minutes. It would check the current outgoing network connections against a list of uids forbidden to make connections. If found, it would log the event, berate the user, kill the process, and log the user off of the server (or other nasty punishments). Here is an example of what to look for: 14814: telnet somehost Current rlimit: 256 file descriptors 0: S_IFCHR mode:0620 dev:233,0 ino:285475 uid:166 gid:7 rdev:24,4 O_RDWR|O_NDELAY 1: S_IFCHR mode:0620 dev:233,0 ino:285475 uid:166 gid:7 rdev:24,4 O_RDWR|O_NDELAY 2: S_IFCHR mode:0620 dev:233,0 ino:285475 uid:166 gid:7 rdev:24,4 O_RDWR|O_NDELAY 3: S_IFCHR mode:0000 dev:233,0 ino:2124 uid:0 gid:0 rdev:41,97 O_RDONLY 4: S_IFDOOR mode:0444 dev:274,0 ino:43168 uid:0 gid:0 size:0 O_RDONLY|O_LARGEFILE FD_CLOEXEC door to nscd[703] 5: S_IFSOCK mode:0666 dev:269,0 ino:2312 uid:0 gid:0 size:0 O_RDWR|O_NDELAY sockname: AF_INET 172.16.9.149 port: 10992 peername: AF_INET 172.16.9.150 port: 23 File handle #5 shows a network connection from 172.16.9.149 to 172.16.9.150 on port 23 (telnet). Of course the command string tells you its telnet, however a crafty user could simply copy telnet to their home directory and name it happyscript. Then if you just look for telnet, you'll miss his illegal connection. A quick ls -ld /proc/14814 will show you who is executing the command. I hope this gives you a starting place. Regards, -Eric =========================================================================== Drew Skinner: Turn off telnet and/or ssh in the other machines in the office. If you need to have connectivity to them I suggest you plug in a terminal concentrator (such as a Lightwave) and you can have additional layers of security there. The machine the supplier will be connecting to will (by default) have either ssh or telnet turned on - the best you can do is turn it off on the other machines or, if you really want to spend some time with security, the other option would be to consider using tcp wrappers to deny the machine with 'outside' access, access to anything else. ======================================================================== ______________________________________ The information transmitted through this mail is intended solely for the addressee and may be legally privileged. Any disclosure, copying, dissemination or any action taken or omitted, to be taken in reliance on it, by persons or entities other than the intended recipient is prohibited. Smart Communications, Inc. http://www.smart.com.ph _______________________________________________ sunmanagers mailing list sunmanagers@sunmanagers.org http://www.sunmanagers.org/mailman/listinfo/sunmanagersReceived on Sun Nov 10 20:36:24 2002
This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:42:57 EST