I am looking at ways in which I can restrict the SSH session requests come by specific SSH client (say Putty or NX Client). Is it possible to restrict SSH client login to a client application?
View 8 RepliesPerhaps it is my misinterpretation of AppArmor, how can it be configured to restrict TCP or UDP traffic to/from specific ports?
The profile "abstractions/nameservice", under the section "# TCP/UDP network access", doesn't seem to lock the application to port 53. What am I missing? Restriction to specific ports is something that systrace can do so I'd expect nothing less from AppArmor.
I have a mate who runs the IT in his office. He has recently set up and secured the network but now has an issue logging in to the network from home. Here is the message I got from him regarding the set up and what he is having specific issues with.
I was really pleased with the results on my Pen Test; the office itself is a pure MS environment but the testers all use Ubuntu 9.10 to hack with. The main tools of choice are Nessus and Ophcrack with a bit of NMap. It's pretty scary what you can do with just these tools. I had a Wireshark trace running all the time and it's fascinating to watch how these guys crack open a system. The only really major change I've had to implement on my network is to force the use of SSL as a transport layer for our remote desktop sessions. This has forced me to start using MS RDP Client 5.2 because it can use certificates on the session. The problem I've got now is that the Terminal Client in Ubuntu can't do this so I can't remote in from home on my Ubuntu laptop.
i have configured the squid for my lan. My lan has three redhat 5.3 web servers. Now by using proxy server, i wish to give access to external clients for my web server and restrict to local client, accessing wan through port 80
View 2 Replies View Relatedi am using openssh 5.2-p1, i want to restrict user "admin" to login to the server from a specific IP address, for this purpose i have tried the following blocks in sshd_config file.Following is the part of the sshd_config file which i have modified
#The following commands will only allow specific IP to login to ssh.
#AllowUsers admin user1 user2
#AllowGroups
# override default of no subsystems.Subsystem sftp internal-sftp
Match Group sftpgroup
ChrootDirectory /home
AllowTCPForwarding no[code].....
i want to restrict admin user to login to the server only from 172.16.100.221 IP which can be done by using AllowUser line, but i dont want to use AllowUser line,
Need to restrict cvs login from specific IPs
in file /etc/security/access.conf
+ : builduser : 10.200.2.1
Do not work
when changed to ALL as below it works
+ : builduser : ALL
I want to restrict SSH so that its only accessible via the machines I own on this network. Obviously need to secure user authentication/host authentication, that aside though is the following sufficient at a network level given technical users also use this network? IP addresses are static, though I know they could be spoofed.
Code:
Chain INPUT (policy DROP)
target prot opt source destination
existing-connections all -- anywhere anywhere
allowed all -- anywhere anywhere
[Code]....
I have several users on handhelds and they like to let their sessions time out. Their zombie processes then cause record locks.I've come up with calls for killing the pids for any prior sessions started by a given user. This procedure would be executed in the .bash_profile.
View 3 Replies View RelatedI am trying to download site using wget :$sudo wget -r -Nc -mk [URL] but it is downloading the contents of all directories and subdirectories under the domain :[URL] (ignoring the 'codejam' directory) so it is downloading from links like : [URL]... i want to restrict the download so that wget command should download only the things under 'codejam' directory
View 9 Replies View RelatedI look after a server which accepts automatic overnight PASV FTP uploads from remote clients. When the uploads are complete, my Bash script copies the files to another location. The problem is, my script needs to be a bit smarter when it comes to detecting active FTP sessions.
I was using:
Code:
netstat -n | grep ":21 " | grep ESTABLISHED
to test if there were active sessions, but came unstuck when a local user left an unrelated FTP session active. The result - my script hung around all night thinking there was an active upload from a remote client. My server is behind a firewall, so remote clients all show an internal (NAT) address,so I can't differentiate by source IP address.I can't install LSOF or FUSER for security reasons. Is there a way I can test for active FTP sessions from specific users? I am running Red Hat Enterprise Linux Server release 5.2 (Tikanga).
company has asked to block some pages on google.co.in. i can not block the entire domain.is there any way to block specific webpage like
View 2 Replies View Relatedtrying to create a "local network" by directly connecting an IBM Thinkpad with Debian Linux installed on it to an Alix computer running Voyager Linux. I'm following a "how to" I found to create a music server, hence the requirement. My issue is I can't get a static IP address to be configured on the Debian machine.I've trawled the net and have found the instructions about editing the /etc/network/interfaces and have tried to do this. First I tried to get DHCP working so I could connect the Debian machine to the net and this proved successful. I edited the interfaces file to look as follows:
# The loopback network interface
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet dhcp
Then I tried adding a static IP address to the machine. As this is a network purely between two machines I made up the IP addres and used 192.168.0.1 and used a NetMask calculator to give me a NetMask of 255.255.255.254 (I told the calculator there would be 2 machines on the network). I then edited the interfaces file as follows:
# The loopback network interface
auto lo
iface lo inet loopback
[code]....
I re-booted the machine (ifdown eth0 followed by ifup eth0 keeps saying that eth0 hasn't been configured - a problem there that I don't understand), but during boot up time it failed to assign the Static IP address to eth0 and made me go into SU mode. To fix it I simply replaced the interface file with the static IP inputs with the file that had the DHCP entries (I'd made a copy of the DHCP file), and re-started the machine. Everthing came up fine. So the first question is how do I get a static IP address to be assigned to eth0 such that whenever I shut down and restart the machine the static IP address is always loaded?
The second question is around creating the network via the cross over cable. From what I've found via Google, all I should have to do is create a static IP address on the Debian machine and a static IP address on the Voyager machine. Once they're connected by the cross over cable they should see each other. Is that correct, or do I have to do anything else?
With Mellanox 10G NICs and the MTUs set from 1600 to 9000 we have tcp sessions hanging. Executing ls during an sftp session just hangs. The same thing happens for an ssh session, if execute ls I might get few item in the directory but then the session hangs. Like wise for FTP. The Fujitsu switch is configured by default to handle jumbo frames. At 1500 MTU everything works fine. We are running the 2.6.25.14 kernel with CentOS 5.2 and the Mellanox driver.
View 3 Replies View Relatedif i stop that session, and come back later, it will have me log on at the login screen, but start a new session, with multiple instances of things..now, with vino, i could just keep the same session running, and when i VNC in, it just resumes it.. This one starts a new one.. i even tried just locking the screen, and it still starts a new one...i know there is an easy fix.. lol.. i just cannot find one.. i REALLY like how it shows me the ubuntu login on my server.. that is slick, so id like to keep that, if possible.
View 2 Replies View RelatedI'm trying to VPN in somewhere and it doesn't like any outbound connections. I'm doing this for RDP, so can I somehow restrict the VPN connection to only be using the RDP port?
View 1 Replies View RelatedSo I have a usb wireless adapter that I set up on my Xubuntu system, and it has been working great since. The laptop that I have Xubuntu on is kind of a POS, so I wanted to try out LXDE to see how it would fare in terms of resource usage.When logged into an LXDE session, all of the ndiswrapper settings appear to be the same, but there are no networks listed and it doesn't connect.
View 2 Replies View RelatedI run pidgin instant messenger via fbpanel taskbar via fluxbox window manager via xvnc vnc server via xrdp remote desktop terminal via sesman session manager.
One problem I've found is that Pidgin does not detect when I stop mousing or typing. I also run gnotime time tracker and it too is not able to detect when I don't type on the keyboard or move the mouse in my X-Windows.
Some questions:Is there a common problem? Is there a workaround? Is there a way to diagnose the problem?perhaps a program which says which window got the input which resets the idle timeout
Is there a way to examine or record the idle periods?
I'd like to use tc and iptables to restrict the download speed. I understand this is know as policing. Are there some resources I could use to learn how to do this? I want to restrict on a per ip basis.
View 1 Replies View RelatedI have a lab with 1 switch and 2 machines attached. One XP station and a debian lenny server. My debian runs dhcpd with this configuration
subnet 192.168.1.0 netmask 255.255.255.0 {
range 192.168.1.31 192.168.1.254;
default-lease-time 345600;
[code]....
I'm trying to restrict dhcp to only provide setting for a list of MAC addresses (about 300 macs) Using the following option is not good to me because I have not a pattern in my clients mac.
class "private-hosts" {
match if substring (option hardware,1,11) = "01:00:50:56";
}
[code]....
I've try using iptables with following configuration, but XP still getting IP from dhcpd:
iptables -P INPUT DROP
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
[code]....
How do I do this at my modem page?
View 4 Replies View RelatedI have a lab with 1 switch and 2 machines attached. One XP station and a debian lenny server. My debian runs dhcpd with this configuration:
subnet 192.168.1.0 netmask 255.255.255.0 {
range 192.168.1.31 192.168.1.254;
default-lease-time 345600;
max-lease-time 691200;
option routers 192.168.1.1;
option subnet-mask 255.255.255.0;
option domain-name "lab.com";
option domain-name-servers 192.168.1.12;
option netbios-name-servers 192.168.1.12;
option netbios-node-type 8;
option broadcast-address 192.168.1.255;
option ntp-servers 192.168.1.12;
ddns-updates on;
ddns-update-style interim;
}
I'm trying to restrict dhcp to only provide setting for a list of MAC addresses (about 300 macs)
Using the following option is not good to me because I have not a pattern in my clients mac.
class "private-hosts" {
match if substring (option hardware,1,11) = "01:00:50:56";
}
pool {
range 192.168.1.31 192.168.1.254;
allow members of "private-hosts";
}
I've try using iptables with following configuration, but XP still getting IP from dhcpd:
iptables -P INPUT DROP
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
# Full from Localhost to Localhost
iptables -A INPUT -i lo -j ACCEPT
# Full from My PC
iptables -A INPUT -s 192.168.1.2 -j ACCEPT
So I can't limit DHCP for specific macs.
Anybody know how to do this, IN MY MODEM PAGE?This is the best I can copy my modem config page code...
View 2 Replies View RelatedI have a server in a colocation environment where I'm allotted 25Mbps. I'd like to avoid exceeding that for obvious reasons. Is there a way I can set the link speed or at least throttle the bandwidth for all services?
View 2 Replies View RelatedMy requirement is to route ssh sessions from a single head node to multiple slave nodes. So what i want is, for a client there is just one point of entry (master/head node) to ssh into, it evaluates the load on the slave nodes connected on to internal network and routes the ssh session, kind of a ssh load balancer. Do you have any idea what open source solution i can apply for my problem?
I have tried using LVS piranha, it works well for http and https load balancing but not for ssh load balancing.
I have a Fedora 11 system and cbq.init-v0.7.3 in it. Now I want to restrict upload speed from my ftp server to Internet (eth1). According to docs I've made a simple file /etc/sysconfig/cbq/cbq- 00.inet_upload_restrict:
DEVICE=eth1,100Mbit,10Mbit
RATE=800Kbit
WEIGHT=80Kbit
PRIO=5
RULE=:20,
So as you can see I want to limit outbound traffic on eth1 from my ftp port 20 to any to the 800Kbit/s (100Kbyte/s). Now I do cbq start, it says: find: warning: you have specified the -maxdepth option after a non-option argument (, but options are not positional (-maxdepth affects tests specified before it as well as those specified after it). Please specify options before other arguments.
find: warning: you have specified the -maxdepth option after a non-option argument (, but options are not positional (-maxdepth affects tests specified before it as well as those specified after it). Please specify options before other arguments. but it starts and works. Now I check the speed and it is...
I have the following problem:I have to networks in remote places.I have an opnvpn client in one network that connects to the the router (openvpn server).My question is,can i connect the network where the openvpn client is,throught the computer with the client to the other network.If yes,how? (please make it an idiot proof anwser because i have limited knowledge about iptables). I was thinking like forwarding (the router in the network with the openvpn client is also firewalling with iptables) the request of the ip class of the openvpn network to the computer with the client,which masquarades the interface
View 2 Replies View RelatedI want to restrict some site (Social Networking) through my newly configured squid proxy. But It always allow those site How to block those site. My squid.conf file is configured as follow :-
#Recommended minimum configuration:
acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
[coder].....
How do I give permission to a logged in user to stop/start a specific service without entering a root/sudo password? So they can do a simple "service SomeService stop|start" It is for a headless Ubuntu server.
View 5 Replies View RelatedI need to search a bunch of files in a specific folder for a specific number and add all the numbers together to a total sum. I use Rsync everyday, everytime I run rsync i get a logfile (rsync output) witch contains the textstring "Total bytes sent: xxxxxx".
The "xxxxx" can vary in lenght. I need to extract the "xxxxxx" from each file and add the numbers together to a total size over a week or a month. Is this possible? And I wish to only use bash. One way of doing stuff at a time my friends .
my system I want user1 and only user1 to be able to mount and unmount a specific partition, this partition contains backups and is usually mounted read only, needs to be temporarily mounted read/write by user1 while doing the backup.user1 is an unprivileged user. I've read that the user option will let any user mount the file-system (and only that user can then subsequently unmount it) and that the users option allows any user to mount or unmount the file-system.I also found this in mount's man pageQuote:The owner option is similar to the user option, with the restriction that the user must be the owner of the special file. This may be useful e.g. for /dev/fd if a login script makes the console user owner of this device. The group option is similar, with the restriction that the user must be member of the group of the special file.So it looks like I'd need a login script for that user to make the user owner of the device file (/dev/voiceserv/backup in this case)
View 7 Replies View Related