I tried changing the sftpserver port but its not working, besides how can i restrict users from particular ips.Eg: users a can ssh from 192.168.*.*user b can sftp from 200.*.*
View 2 Replies
Is there software that is available that restricts access to ssh and sftp in a similar fashion as Chroot?
View 1 Replies View Relatedif i want user should`t have more than 20 sftp connections to a server,is there any way we can limit no.of connections to a particular user on the server using ssh configuration
View 7 Replies View RelatedI want the users to access servers via ssh public key only. By default they don't know their initial password and do need to change that when performing administrative tasks.For changing their passwords without knowing the old they need to switch to root for this special case.The only case it seems I don't have control is that users can not only change their password but also the password of other peoples. Does someone sees a solution (without apparmor/selinux and special /usr/bin/passwd.sh) to restrict users to only change their password?I miss the feature of using environment variables in sudoers file.
View 9 Replies View Relatedmy team is working on network thier termial is windows and my server is linux centos we work on simple network with out domainmy user works on files on the server, can I deman ser name and passwork when they try to change to the shared files on the servernd can i monitor which user chaned a fileI have css developer and he is only allowed to create and modify css files can i do this ?
View 3 Replies View RelatedI heard we can set security in /etc/hosts.allow and /etc/hosts.deny on user base also like something user@domain or something if so how can I restrict a user to access particular service by his/her user name in a particular host via /etc/hosts.allow or /etc/hosts.deny
View 3 Replies View RelatedI'm running Natty and have made two logins on the system. One for myself and family and one for the kids (teens 14-15yr) to play in without Internet access via Admin "Users and Groups". I have hidden the Internet software icons on their screen amongst others i don't want them to see on the menus. On our screen I use a Firefox addon called "Web Of Trust" that can be configured easily for the kids and another addon called 'Blocksite' that I can selectively use for them and myself etc.
I have found out that they have still been able to get on to the net somehow under their login. Will have to observe again!! In the users settings for the kids the tick box for 'Internet'and 'use modem' access is un-ticked so I presumed that would be enough! Not so!!
I'm trying to tighten up my network a bit. I've given my dhcp server a list of static mac addresses and ip's for computers i know, and a very short range of dhcp addresses that are redirected to kittenwar.My dilemma is that if someone has my wireless network password, or an ethernet cable, they could set the ip address manually and gain access.how can i deny them this pleasure?im running dhcpd3, and iptables on a debian/lenny intel 2.4 box. dd-wrt is running in a linksys wrt54g and is handling the wireless security
View 7 Replies View RelatedI have been trying to get Squid to work so that I can restrict access to a particular web site during certain hours every night. I can't seem to get it working, however. I am still able to access the site. The following are the relevant lines from my squid.conf file:
acl restricted-domain dstdomain "/etc/squid/denied_domains.acl"
acl test time 19:00-20:00
acl bedtime time 22:00-23:59
[code]...
allow sftp access to my Ubuntu system (happens to be desktop as it's also my main system) using accounts that are not able to login normally. (I have already managed to create such accounts.) These accounts need to be chrooted (also already accomplished with the openssh daemon settings.) Where I run into problems is that I want to give them (read only) access to files outside the chroot (on another partition in fact) and the matter if made more difficult because the directories to be shared are on NTFS-3G partitions (as they are a shared linux / windows storage drive). Is this possible and if so, what do I need to do?
Edit - Forgot to include versions
Ubuntu 10.10
openssh 1.5.5p1-4ubuntu4 (the one that comes with 10.10)
I am trying to configure my Linux router to restrict Internet access for one computer on my LAN. It needs to be restrictive based on the time of day and the days of the week. I am using the MAC address of the computer to single out the one computer that needs to be blocked. However, this is my first attempt at making any rules with iptables, and I am not sure if I am doing this right. If some one can take a look at this I would greatly appreciate it. This is what I have done so far.
Here is my thinking. Create a new target. Check the MAC address, if it is NOT the offending computer return to the default chain. If it is the offending computer check that we are between the allowed hours and dates and ACCEPT. If we are not within the time/date range then drop the packet.
Code:
Here I am trying to route all packets regardless of the computer on the LAN into the blocked_access chain for checking.
Code:
Is it a good idea to route all traffic through the blocked_access chain? I do run other servers that are accessible from the Internet, so I am not sure how this setup will affect that. I also use shorewall on the router to setup iptables for me. How would I integrate this with shorewall?
I am using squid to block access when he is using the web browser. However, he is still able to play games(World of Warcraft) and the like.
I am using Debian sid, iptable(1.4.6), shorewall(4.4.6), kernel 2.6.32-trunk-686.
right now i have vsftpd server installed for FTP access. I originally set it up for both FTP and SFTP, but found that SFTP disregarded any and all permission settings and user jailing that i had set up... so I am switching to just being standard FTP
so here is what's happening:
i've tried to disable SFTP in the sshd_config file, but i am still able to log into the ftp server under sftp through port 22 (which normally is ssh?) i've tried all kinds of things short of just blocking port 22, however I would prefer to be able to remote into my server via Putty (which has access restriction to ONLY allow my admin user account over ssh)..
I have an Asterisk on an externally hosted vServer with Lenny. In order to further protect the SSH access I intended to change the Port number 22 to something like 55555. For this I changed the /etc/ssh/sshd_config file and restarted ssh. This caused unfortunately the following problems:
(1) The first login works but DenyHost writes now the IP in its list so that the second login with the same IP is blocked.
(2) With RESET_ON_SUCCESS = yes several logins were possible with the same IP, but later it also was blocked for some still unknown reasons.
(3) Files can be uploaded for being edited, but they can't always be saved. When they can't be saved the next login with this IP is blocked. It thus looks like the blocking can occur while being connected. When the files can't be saved it is however still possible to copy files from the computer to the vServer.
I add below the entries in the auth.log from a logout and a login. It shows further how suddenly the attempts to save files were blocked. After this session the IP used for it was blocked. I don't know where the message "Unable to open env file: /etc/default/locale" comes from. If I remember right I had these messages already before. I don't know how much that is really important.
[Code]....
VERY new to linux, erm but I have an issue that needs solving!I recently moved to university, where their network blocks sftp port 22, this means that I cannot connect to my FTP server which is running a version of linux.Now I've got this ftp server connected to a seedbox and it was created using the following walk through..Code:I have written this guide for a friend, but I though it would be useful for others as well.
There are several guides floating around, but I found that most always cock up in some way. This one is tried and tested to work on Debian Etch (on an OVH rps, but should apply to most servers).If there is a new stable release of rtorrent/libtorrent then I will update this guide to show you how to update it (without reinstalling the whole server).
At the bottom there are also instructions to install ftp access & some network monitoring software.Basically, I would really like someone to be able to construct the commands on how to change the listen port for sftp connection on linux or add another port to the list that Linux would use so that I could put in through putty.
In RedHat 4/5 How can i jail/restrict an sftp user to his home directory?
Can i do this without using rssh ?
I have configured rssh 2.3 with openssh 5.8 on RHEL 5.6 64 bit to restrict the users to scp and sftp. When i try to sftp or scp it gives error connection closed. After long googling tried different solutions like add missing libraries, setuid to rssh_helper. I had full copy of /lib to /chroot/lib and /chroot/lib64 but no success. conf and log files are below for reference.
[Code]...
I have installed Bind 9 on a new Fedora machine:
Code:
[root@***]# rpm -q bind
bind-9.7.2-1.P3.fc13.i686
It was yum installed and all went well without error but I'm not able to access bind on port 53. Selinux is disabled for this test, and the iptables have been saved to the below config in the INPUT chain:
Code:
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere udp dpt:domain state NEW
[Code].....
I have several directories, each owned by root and a group of the same name,By setting the sgid bit, I made sure that newly created files and directories are owned by the correct group, and that directories have the sgid bit set too.On each newly created directory or file, the permissions are set to 755. This is because this is the default umask, and I cannot change a users umask. I actually only want files created below a particular directory to have group write access, inheriting this behaviour to newly created directories properly.I'm not on samba or NFS, I have to do this for SSH users.The filesystem is ext3.I started to fool around with ACLs, but couldn't find what I was looking for.
View 3 Replies View RelatedI'm trying to limit access to port 8443 on our server to 2 specific IP addresses. For some reason, access is still being allowed even though I drop all packets that aren't from the named IP addresses. The default policy is ACCEPT on the INPUT chain and this is how we want to keep it for various reasons I wont get into here. Here's the output from iptables -vnL
[Code]...
Note the actual IP we are using is masked here with 123.123.123.123. Until I can get everything working properly, we're only allowing access from 1 IP instead of 2. We can add the other one once it all works right. I haven't worked with iptables very much. So I'm quite confused about why packets matching the DROP criteria are still being allowed.
I'm trying to open port 8080 on my application server. I've included it in my iptables; however I still cannot access through ssh nor putty and it doesn't show up when I netstat either.Here is my iptables-config:
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -s xxx.xx.x.0/24 -j ACCEPT
[code].....
Is it possible to restrict telnet connection from remote to my server(linux -centos5)?
=================
Ex : [root@localhost]# telnet 10.0.0.33 80
Trying 10.0.0.33...
[code]...
I have a server in a colocation environment where I'm allotted 25Mbps. I'd like to avoid exceeding that for obvious reasons. Is there a way I can set the link speed or at least throttle the bandwidth for all services?
View 2 Replies View RelatedI'm a terrible procrastinator, it's awe-inspiring annoying and stressful. This in combination with being a information-holic makes the Internet fairly lethal to me; I risk failing my college course because of it, so trust me when I say I'm deadly serious about this.
However, I think you guys may be able to help out, and maybe this will also help some people here with similar problems:
Because so much of my time is taken up with Interwebz, I thought to carefully restrict my internet use. It's not prefect, but it's part of a solution.
To date: I have Firefox and the ProCon extension which uses a whitelist of websites I can access. The extension cannot be uninstalled/disabled and I use a long hex password split into 3 parts, two of which my friends have (so I have to ask my friends for the password parts in order to update the whitelist, hence making it socially awkward to fritter away time online).
So far, it has worked a treat and I'm really pleased with it.
However, this is the problem:
I need to restrict web access so *only* Firefox can access the web. That way I cannot use Chrome/Opera, or even (shudder) use wine to run Internet Exploder.
I have remote server and when I want to connect to it from internet I need to choose port 2222. I tryed to do it using filezilla, gftp, it can be done. Because they want from me to use default ssh port 22
View 1 Replies View RelatedI m new with Fedora 14, and i have a basic business case :
I want to setup a user which should
- only connect to the server with SSH (ex.: no X11 connection).
- cannot change its shell
- cannot do any SU / SUDO command
This user is very similar to a SERVICE user, as I expect him only to run a single program (its shell).
I've installed Ubuntu Desktop Ed 9 and I want to add a user account that would be very restricted. I would only want them to access the internet and run several programs. I do not want them to have access to the destkop, anything under preferences, administration etc... Is this possible?
View 1 Replies View RelatedNeed to restrict cvs login from specific IPs
in file /etc/security/access.conf
+ : builduser : 10.200.2.1
Do not work
when changed to ALL as below it works
+ : builduser : ALL
I would like to allow a user to login through SSH but with different permission coming from different ipaddress.
For example, a user "tester" login to SSH through 192.168.1.1 and another user login with the same login id "tester" but from different ip 192.168.1.2.
How do I restrict 192.168.1.2 to only allow for viewing the content in the home directory while giving 192.168.1.1 full access?
Here's the beginning of the issue: I'm running Fedora 12 with httpd and sshd. I want to create a user with a scponly shell for sftp access, but this user should ONLY be able to view /the/http/base/dir and its subdirectories. The user should not be able to see or get into directories above the httpd base. Someone mentioned creating a chroot jail for sshd and binding the httpd base to that dir, but this seems like more work than is necessary for the application I wish. Also mentioned was creating a user, say user1 with a selinux user setting of staff_r. I have read the articles and creating a user of staff_r isn't overly difficult, but how would I make it where staff_r would be restricted to where I want them to be? If I'm not mistaken, that would require changing the context of /the/httpd/base/dir?
View 4 Replies View RelatedI want to restrict user for SSH Logon, but able to use SFTP.
Also, i like to know how to restrict a user on SSH from everywhere except one host.
