i have jsut setup a kvm virtual machine on my server. to connect to the VM from outside of the network i use ssh tunneling. what i would liek to know is if there is any way to create a new user with jsut ssh access. i dont want people to be able to edit files in ~/ or such. jsut need the user to estabilish the connection to the server
View 1 RepliesWhile I successfully configured an IPsec-VPN (I use a similar tho modified setup like this:[URL].. I am now stuck on the next steps. While I can connect to everything I want, I need to configure "access-groups" and/or "users".
The scenario is similar to this: Lets say Host A, B and C allow SSH-Connections and some weird non-standard UDP-Connection from Host-VPN, and are also accessible on other ports with public IP's (like http).
I now want to limit, that an admin-user has access to all of them, while trainee-admin only can access everything on Host B and C, and CEO only can connect via telnet to Host C - and all users can be roadwarriors
(I made this example up to give you an idea what i'm trying to do - hope it makes sense). Now my question is, if someone can point me towards a direction, as I'm quite clueless at the current moment as to what to try. I know that commercial IPsec-Implementations can do this, but can OpenSWAN/... give me something similar?
I have searched for days on Google and can't find a clear answer to my question. I have a NT4 PDC which I am migrating to Samba 3 (Version 3.4.2-47.fc12) on FC12 with kernel(2.6.31.5-127.fc12.i686). I am using tdbsam as my passdb backend.I setup Samba as a BDC and then joined to NT4 Domain succesfully. When I go to vampire the accounts I get lots of errors and some user accounts get transfered over. It turns that all the user accounts that transfer are those that don't have a capital letter in their username on the NT4 domain server. Most do and don't get transfered. There seems to be errors with my groups and Computer accounts.Is there a way to change the requirements in Fedora 12 for username, groups and computernames?
View 1 Replies View RelatedI set some restrictions in /etc/pam.d/system-auth, but they don't seem to be affecting anything.
/etc/pam.d/passwd:
Code:
password required pam_cracklib.so retry=3 minlen=8
password required pam_unix.so md5 shadow use_authtok
/etc/pam.d/system-auth:
Code:
auth required pam_env.so
auth sufficient pam_unix.so likeauth nullok
auth required pam_deny.so
[code]....
I dont want to allow the user winny on saturday and sundays. I added the following line in the /etc/security/time.conf file.
login;*;winny;!SaSu0000-2400
Then i added the following line in the /etc/pam.d/login file.
account required pam_time.so
this is the first line of that login file. But if i tried to login with the username winny it allows me to get log in. Is anything has to be change?
I am using internet web control through squid... All is working fine only some little bit issues.
(1) Sometime when i tried to open google.com or any site I got message (The requested URL could not be retrieved) Screen Shot Attached.) but again after sometimes same websites will open.
url
(2) I would like to block word 'sex'.. So I have edit squid.conf with the following acl
acl Blockword url_regex sex
http_access deny Blockword
but problem occur in some websites where 'sensex' word found in url. Then squid block 'sensex' url content website also..
Can I limit the system resources that a process can use on Linux? I want to configure the system to avoid that some specified processes use some system resources:
choose if a process is allowed to use network and Internet.
choose which files and folders that a process can read, write or execute.
choose if a process is allowed to use sound and graphics output, and printer.
choose the limit of memory that it can use.
I'm trying to change the restrictions to some normal text files and their result is not what is expected.
For example, when I put:
chmod 000 testfile.txt
on a file that is
-rwxrwxrwx,
it instead becomes
-r--r--r--.
It doesn't matter whether I do it with a root or the owner of the file, the result is the same.
Also, putting
chmod u-rwx testfile
results in the file becoming, again,
-r--r--r--.
Also, some doesn't have any effect, such as
chmod o-r testfile.
Even if I do this, the result is the same -rwxrwxrwx.
I'm working remotely at the minute, but have several 'incoming' automatic reverse shells connecting to a dedicated server. This dedicated server does not have X, but several of the 'incoming' shell servers do. Basically, take three machines, laptop, server, client. Laptop and client have X, server does not. All three machines have password-less logins to each other (laptop > server, server > client) and can password-lessly establish a shell.
I've tried ssh -X user@server "ssh -X user@client gui-application" and, no suprise, I'm getting 'Cannot open Display" messages. Does anyone know I nice one-liner for this kind of tunnelling?
I need to know the procedure to setup VPN between two network. i setup openvpn access server to do this easy. 1. Step by step procedure to setup VPN 2. Setup VPN with DHCP 3. How to check that open vpn is running successfully.
View 1 Replies View RelatedI often use an SSH tunnelling on my computer, using a SOCKS proxy.
ssh -D 1234 example.com
However, this only accepts local connections. I would like other systems on my network to be able to use the proxy on my computer as well.
How can I achieve this? If SSH doesn't have an option itself I imagine it might be possible to have a program proxy the proxy on a different port, but I don't know if there are any common tools to do this.
Machine A is located behind client firewall. The machine runs telnetd. This is Linux machine with Python 2.5.4 installed. I do not know the IP addy of the router and firewall is not open incoming. outgoing firewall is open.
Machine B (Windows machine) is a server with well known IP address. I can install any programs I want on either machine.
The idea is that I want Machine A to open a socket to machine B. Then I want to hold that socket and use to run a telnet session from Machine B to Machine A telnetd server.
I've been working with my OpenVPN server for a while, and I have a rather interesting problem. I need to redirect all client traffic through the tunnel except for a couple IP's that need to be resolvable locally. The way I'm doing this is pushing these routes from the server:
Server 'PUSH' directives
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
I'm seeing that translating into these Windows routes:
Windows routes occurring
Wed Aug 31 15:14:35 2011 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route 10.8.0.1,topology net30,ping 5,ping-restart 30,ifconfig 10.8.0.6 10.8.0.5'
Wed Aug 31 15:14:35 2011 ROUTE default_gateway=192.168.1.254
Wed Aug 31 15:14:40 2011 C:WINDOWSsystem32
oute.exe ADD 199.[*.*.*] MASK 255.255.255.255 192.168.1.254
Wed Aug 31 15:14:40 2011 C:WINDOWSsystem32
oute.exe ADD 0.0.0.0 MASK 128.0.0.0 10.8.0.5
Wed Aug 31 15:14:40 2011 C:WINDOWSsystem32
oute.exe ADD 128.0.0.0 MASK 128.0.0.0 10.8.0.5
Wed Aug 31 15:14:40 2011 C:WINDOWSsystem32
oute.exe ADD 10.8.0.1 MASK 255.255.255.255 10.8.0.5
I've hidden my server's IP beginning with 199 for security purposes.What I've gathered.I'm assuming that 0.0.0.0 is a kind of code for "everything," so I'm not sure how I could get this to work, but the general idea is that I need a specific IP range (172.16.*) to be resolvable on the LOCAL NETWORK (of the client) meaning it does not go through the VPN tunnel and the client can connect to 172.16.* locally.Is this possible? Routes can be executed through the command line, server "push" or client config options. Any way to get this to work while still routing other traffic through would do, really.
Additional Info: I have the server running on Debian 64-bit and the client running on Windows 7 (although Vista needs to work as well).Client/server configs can be provided if needed.
I need create ssh forwarding to other linux box that works as a proxy.I have two linux boxes(centos 5.5), one in the office(server1) behind firewall, other at colocation(server2)server1 has squid proxy instaled on port 3128.i cant use server1 as a direct proxy from home because its behind firewall.iwas able to create ssh tunnel from server1 to server2 and when i log in to server2 ican ssh root@localhost -p 12312 to server1
what i need is configure server2 so it forwards port server2:3128 to server1:3128....and i could add server2 ip addres and port to firefox proxy's and access ofice network.
I was having trouble setting up a db connection from my local machine to a db server that was configured to only accept connections from machines behind its own subnet. I had trouble setting up a multiple hop tunnel for chaining port forwarding through my firewall machine on the same subnet as the db. My first attempt involved two port forwards, on localhost and on the firewall machine, which didn't work for me. This approach I found at URL... involved constructing an end to end connection to the db via the firewall machine.
View 2 Replies View RelatedI've just started experimenting with SSH tunnels. I wanted a way to connect to MySQL on our website VPS but wanted the connection encrypted rather than just using PHP's mysql_connect() function and connecting to the remote IP. This seems to be working great. I'm also looking into autossh to make sure that the tunnel gets reconnected when it drops.is there a command/utility that can list the currently active SSH tunnels? Be great if there was a way of terminating an active tunnel through a command as well. Or is it a case of manually digging through the process list and killing the specific PID like I have been?
View 1 Replies View RelatedI'm using Debian Lenny and I want to tunnel rtorrent only through a OpenVPN tunnel. I have a tunnel running, the config file looks like this:
client
dev tun
proto udp
remote openvpn.xxx.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
[Code]...
My idea is that I could run a sockd proxy internally that redirects traffic to the openvpn tunnel. I could use the *nix "proxifier" application "tsocks" to make it possible for rtorrent to connect through that proxy (as rtorrent doesn't support proxies). I have trouble configuring sockd as my IP inside the VPN changes every time I connect. This is a config file someone said would help:[URl].. As my IP changes at each connect I don't know what to put in that config file. I have no control over the host side config file.
I try to understand the reasons for restricting DVD and MP3. My conclusion so far is that DVD is restricted due to software patents (and the DMCA). The software decoding DVD is open software, though. What is the situation regarding MP3? It is also restricted. Is it due to the same kind of software patents? As I understand, the MP3 codecs are not free software (like DVD)?
View 2 Replies View RelatedWe have following setup,
1. Webserver (Centos 5.5)
2. Mail server (Centos 5.5)
We have configured autossh successfully to create/manage the ssh tunnel into mail server in order to dump all emails to localhost port.
To auto start autossh in boot time we have included following into /etc/rc.d/rc.local,
Quote:
So whenever our web application wants to send out emails it dump all emails to localhost:33465 port, easy piecy, all are working great
Now we have a requirement that logwatch reports should get delivered via the same ssh tunnel rather than installing postfix and configuring as a relay.
In logwatch is there a way to achieve that?
How can I get rid of all policykit restrictions that fedora 13 has? I just upgraded from fedora 10 and of course my freenx sessions are again unable to do anything useful like mounting a drive. Difference is no GUI now to help fix this. So I would like to get rid of all restrictions.
View 6 Replies View RelatedI have an security cam with a built-in webpage inside my home network. That camera is using basic HTTP authentication instead of SSL. I want to be able to access the camera's webpage from outside my network, but I don't want to open an unencrypted video stream to the outside world. Right now, I'm doing some cumbersome ssh tunneling where I bounce off an ssh server like: ssh -N -L 9090:[URl]..and then I connect to my web page like: http://localhost:9090
But this is a pain. Now, gentle reader, I beseech you to tell me how I can use linux (Ubuntu) to get a fully encrypted SSL connection to my internal web page without the hassle of creating an ssh tunnel each time. I believe I can use stunnel, but I'm not sure of the command.
I've set up a Lan-to-Lan (routed) OpenVPN tunnel. For redundancy I want to set up a second VPN tunnel on a fallback gateway/firewall on the client side. Currently, both sides (server/client) know how to route packets across each others physical LAN. So no NAT is used. When the primary gateway (fw1) is connected to the VPN server all traffic runs via the fw1 tunnel. Than when the secondary gateway (fw2) connects to the VPN server and fw1 is still connected all traffic for fw1 will be delivered to fw2 and effectively destroying traffic intended for fw1. This is of course no problem if I first shutdown (fence) fw1, than set up fw2 to use the gateway IP address from fw1 and set up the VPN tunnel to the VPN server. Effectively replacing fw1 with fw2 on the client side.
However, I can't seem to find a decent howto.
I am also exploring the possibility to let both tunnels active and let OpenVPN (or another tool) decide how to route packets back and forth the different LANs. A virtual IP between two gateway's both running a VPN or something similar. This would be the preferred method of course. However, I don't know how to tackle this one but I'm pretty sure there are people out there who are happy to share their 2 cents.
I recently installed vsftpd on my server. I noticed that users on the machine can login into vsftpd with their username and password on the machine and go to their root dir "/home/username".Now, I want to give some people a vsftpd username and password so they can upload and download files and folders to their folder, but this folder has to be in the "/var/www/(username)" folder. I don't want them to be able to go to any other folder than their own folder like "/var", "/etc" or "/home" etc. Also I don't want them to be able to login on the machine as a user, through putty for example. They should only be allowed to acces their folder with vsftpd, nothing else.
View 1 Replies View RelatedI'm working with Opensuse 11.2 and KDE 4.3.5. I tried to restrict the run command (with Alt-F2) in the kdeglobals file:
~/.kde4/share/config/kdeglobals
[KDE Action Restrictions]
run_command=false
But there is no effect. With Opensuse 10.3 and KDE 3.5 it works fine.
I usually use .htaccess to restrict access to directories. But what if I just wanted to secure a single php file? Is there some sort of code that would allow me to say ONLY THIS IP can access this PHP file?
View 3 Replies View RelatedI have a server with two active network interfaces. On one, I need ssh open for all users (it's running LTSP, and as I learned the hard way today, blocking ssh kills LDM access).
On the other interface (which connects to the rest of the network), I only want to allow a few administrative users to connnect.
Is there a way to do this cleanly using sshd_config or PAM? I don't want to do something hacky like running dropbear.
I have an Apache, PureFTPd, PHP5, and MySQL server setup and running. I'm running several scripts that require folder access of "var/www" in order to accomplish the scripts duty. How do I remove and/or work around the security measure?
View 7 Replies View RelatedI have Fedora 10 installed. I want my users to be able to use any password they want. So I edited /etc/pam.d/system-auth, the password section.
Was:
Code:
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password required pam_deny.so
Become:
[Code].....
I have a work network of about 20 boxes most of which are running Windows 7 and one of them is a file server using linux and another is Windows server 2003. Now the local IP is distributed by the router, and no regulation of internet access is done by any of the servers.What I need to do is restrict internet access to select domains, which would probably need DHCP through linux(I think, not really sure), and I need something simple like a 'blabla.conf' file with the allowed websites that I can edit. need to know how to regulate IP addresses through the linux box (all details if possible, I never tried to do that before), and how to restrict internet access also through linux.
View 4 Replies View RelatedI've got Ubuntu server 10.04 set up and I wanted to make a few restrictions. It's pretty much just acting as a VMware server at the moment, and there are some users I've created who I only want to be able to be able to log into the VMware infrastructure web interface. I want to make sure these users can't log in via SSH, FTP, or the console itself. I understand how to block them from logging in via SSH by using DenyUsers, and I added these users to the /etc/ftpusers file to lock them out of FTP, but how can I block them from logging in at the console itself?
I tried locking the user out by editing the /etc/passwd file, but the problem is that by doing this, it also prevents the user from being able to log into the VMware web interface.
The user's entry in /etc/passwd looks like this: bsmith:*:1005:1005:Bob Smith,,,:/home/bsmith:/bin/bash