Ubuntu Security :: Restrict Root Logons To The SSH Server To A Single Ip Address?

Feb 26, 2010

Is it possible to restrict root logons to the SSH server to just a single ip address (or maybe a range?) I have other users connecting to the server daily so restricting ALL access to a single ip i cannot do. I need root enabled (for my own reasons) but want to lock it down a bit more.

View 9 Replies


ADVERTISEMENT

Security :: IPTABLES - Restrict Internet Access Based On Time Of Day And MAC Address

Feb 6, 2010

I am trying to configure my Linux router to restrict Internet access for one computer on my LAN. It needs to be restrictive based on the time of day and the days of the week. I am using the MAC address of the computer to single out the one computer that needs to be blocked. However, this is my first attempt at making any rules with iptables, and I am not sure if I am doing this right. If some one can take a look at this I would greatly appreciate it. This is what I have done so far.

Here is my thinking. Create a new target. Check the MAC address, if it is NOT the offending computer return to the default chain. If it is the offending computer check that we are between the allowed hours and dates and ACCEPT. If we are not within the time/date range then drop the packet.

Code:

Here I am trying to route all packets regardless of the computer on the LAN into the blocked_access chain for checking.

Code:

Is it a good idea to route all traffic through the blocked_access chain? I do run other servers that are accessible from the Internet, so I am not sure how this setup will affect that. I also use shorewall on the router to setup iptables for me. How would I integrate this with shorewall?

I am using squid to block access when he is using the web browser. However, he is still able to play games(World of Warcraft) and the like.

I am using Debian sid, iptable(1.4.6), shorewall(4.4.6), kernel 2.6.32-trunk-686.

View 7 Replies View Related

OpenSUSE Install :: Root Logons Not Allowed?

Oct 18, 2010

whent to switch to root in KDE, and at the login attempt I got the above message.Any clue on to why?. I can logon to root from the shell, but not KDE.Will be poking around a bot more tonight and keeping an eye on here.

View 7 Replies View Related

Debian Configuration :: Apache Config - Restrict The Access To Local Web Server By IP Address?

Jul 29, 2010

I want to restrict the access to my local web server by IP address. Im in a LAN (192.168.200.xx) so i have this:

[code]....

But when i try to connect from 192.168.200.4 it says i don't have permission to access

View 1 Replies View Related

Ubuntu Security :: Is The Root Password In 11.04 For A Single Program Or For All Programs

Sep 1, 2011

I have ubuntu 11.04 installed along side windows. And I often share files with windows computers. If I am installing a new package from ubuntu software center, and consquently I have to log in as root to do so, which means I have given the system 'privileges' as the program is being installed, I decide to go open mozilla, and surf suspicious sites on the net. Is it possible in that case for me to get a virus?

When we enter the password for the root user in order to run one program such as ubuntu software center, does that mean that all programs have root privileges for the time being (as the software center is installing the program)?

View 3 Replies View Related

Server :: Multiple IP Address On A Single NIC?

Jan 20, 2011

We can add multiple IP address on a single NIC. Is there any limitation that is how many ip address I can add on a single NIC card??

View 1 Replies View Related

Fedora Security :: X Server Restrict Via Xselinux Module

Apr 24, 2011

Module xselinux appeared in new versions of XServer theoretically allows to use SELinux in order to improve security. First of all I'm interested in examples of the use of this module (configuration files and what functions it perform). Also interesting to know whether some user's actions with XServer can be restricted via xselinux module (e.g. screenshot prohibition).

View 11 Replies View Related

Security :: Resetting Root Password In Suse In Single User Mode & Rescue

Jul 14, 2009

When I go to single user mode for resetting root password, It ask root pawssword for login.The message displayed on prompt is "Give root password for login.On the boot prompt, I select kernel and press 'e' and after one space type 1 for single User mode and then press 'b' for booting.It shows message entering in single user mode but ask root password. Even I tried into rescue mode, but I couldn't ser root password.In rescue mode on prompt, It shows rescue login: I typed root, But when typed 'passwd' foe resetting root pawssword,It shows message unknown user and not authetication.

View 1 Replies View Related

Fedora Security :: Reset The Root Password By Booting Into Single Usermode By Editing Grub

Apr 17, 2009

Being able to reset the root password by booting into single usermode by editing grub. This is a MAJOR flaw. I know it makes no real difference against internet bourne attacks, but even so I must say I found it shocking. The only way I've found to stop this is to encrypt the entire HDD, so noone could get into single user mode without first knowing the encryption key/password.

View 14 Replies View Related

CentOS 5 Server :: Apache Two Virtual Hosts On A Single IP Address?

Feb 22, 2011

I am trying to run two web servers (Virtual Hosts) on a single Linux Centos 5.5 box with a single IP address 192.168.0.182. I did all the pre-installation requirements such yum install mysql, yum install mysqladmin, service httpd start, service mysqld start etc etc.In /var/www/html directory, I have two folder called server1 and server2. These two folders have the necessary web server php script files and folders. I opened the browser and managed to install the script on one web server successfully. When I put the IP address 192.168.0.182 on the browser address bar, the page loads without any problem. Now I would like to be able to install the other web server script and I don't know how to?Here is my httpd configuration;

<VirtualHost *>
DocumentRoot /var/www/html/server1
ServerName development.mysite.com

[code]....

View 15 Replies View Related

CentOS 5 Networking :: Restrict User "admin" To Login To The Server From A Specific IP Address?

Jun 9, 2009

i am using openssh 5.2-p1, i want to restrict user "admin" to login to the server from a specific IP address, for this purpose i have tried the following blocks in sshd_config file.Following is the part of the sshd_config file which i have modified

#The following commands will only allow specific IP to login to ssh.

#AllowUsers admin user1 user2

#AllowGroups

# override default of no subsystems.Subsystem sftp internal-sftp

Match Group sftpgroup
ChrootDirectory /home
AllowTCPForwarding no[code].....

i want to restrict admin user to login to the server only from 172.16.100.221 IP which can be done by using AllowUser line, but i dont want to use AllowUser line,

View 1 Replies View Related

Ubuntu :: SSH Restrict Public Key To A Single Username?

Apr 29, 2010

I set up SSH on a server running Ubuntu using rsa key authentication. I want to allow a friend of mine to log into the server with restricted access, so I created a user account named "guest" with its own home directory and ensured that it has no root access. I created a new pair of keys and added the public key to my authorized_keys, but when I was testing SSH I noticed that not only could I not log in as guest, I could use the key to log in as my own account and gain root access via sudo. How can I restrict specific private keys to only be able to log in as certain users?

View 6 Replies View Related

Ubuntu :: Restrict Access To A Single Folder In Documents?

Nov 9, 2010

What is the simplest way to restrict access to a single folder in Documents?

View 3 Replies View Related

General :: Restrict A Single User Logon?

Jun 9, 2010

how can i restrict a single particular user from logging into the server not more than 5 times?

The conditions may be:

1) wrong password

2) can login only 5 times on one day etc.

View 5 Replies View Related

General :: Iptables Restrict Ssh Session By Mac Address?

May 24, 2011

I'm in the process of restricting access to my Linux production box, where ssh access needs to be limited to only a few MAC addresses.I've followed the instructions outlined in this guide and ran the following two commands:

/sbin/iptables -A INPUT -m mac --mac-source XX:XX:XX:XX:XX:XX -j DROP
/sbin/iptables -A INPUT -p tcp --destination-port 22 -m mac --mac-source XX:XX:XX:XX:XX:XX -j ACCEPT
root@xxxx:~/#: iptables --list

[code]....

View 3 Replies View Related

Server :: Stop Root Sending Email To A Private Address?

Nov 4, 2010

system is RedHat v4. I removed root: admin-name@domain from /etc/aliases then ran /usr/bin/newaliases.

The admin does not get the emails but now the email generated by the cronjobs is being sent to my-name@domain outlook email from "root@localhost.localddomain". No other changes were made. Where should I start looking for the definition of sent crontab email to my-name@domain?

View 3 Replies View Related

Security :: Blocking A Specific IP Address From Server?

May 8, 2010

I would like to COMPLETELY block a specific IP address using iptables. I found this one:

Code:

iptables -A INPUT -p tcp -s xxx.xxx.xxx.xxx -j REJECT --reject-with tcp-reset

Will this work? How do I undo the changes later?

View 2 Replies View Related

Security :: The Server Was Hacked From So Called Tor IP Address?

Nov 14, 2010

I always use professional services to secure my servers. Everything was fine for years but a week ago my server got hacked.I don't know how the hacker got my username/password - it was not something like admin, password.9 months ago my PC was infected with some virus which connected to the FTP server by using password which was saved in CuteFTP and infected all index files with some javascript. Then I changed the user/FTP password and didn't save it anymore in Cute FTP. Of course, I checked all the folders and re-uploaded all infected files. Is it possible that this virus uploaded some hidden file which was able to get the new password for this account?

The server was hacked from so called Tor IP address. I am tiref of worrying about server security and now have an idea to get a static IP address from my ISP and to allow logins only from this IP address. What do you think about it? This idea looks good for me but are there any risks to lose access to the server. Can ISP provider change the static IP address for some reason?

View 9 Replies View Related

Fedora Security :: Block Some Ip Address That Are Attacking Server?

Aug 26, 2009

I want to block some ip address that are attacking my server and making my ssh port busy. On searching the google, I found

Code:
iptables -A INPUT -s ip_address -j DROP

I will add this rule in iptables. My questions are:
1) do I have to do

Code:
chkconfig iptables on

so that it load the iptables at boot. I am wondering why do I need this because iptables is already modified and it loads the iptables at boot time if firewall is enabled.

2) When we add the above rule, which file is modified? Another way, where are this rules stored? It is not in /etc/sysconfig/iptables and /etc/sysconfig/iptables_config.

View 1 Replies View Related

Red Hat / Fedora :: Restrict NFS Access To Root?

Aug 12, 2010

If there is a general NFS share in the LAN and for example this share has three files - a, b, c is there any way to restrict file access to the root user of e particular host(falcon) in the same LAN environment while the normal users from the same host(falcon) should be able to access the NFS share & files a, b,

View 3 Replies View Related

Security :: Address Space Randomization On 2.6.28-15-generic Ubuntu 9.04 - Finding Base Address?

Sep 14, 2009

Im an academic (university networks and security lecturer) studying/teaching network and operating system security, and inspired by the work of Hovav Shacham set about testing ASLR on linux. Principley I did this by performing a brute force buffer overflow attack on Fedora 10 and Ubuntu 9. I did this by writting a little concurrent server daemon which accidently on purpose didnt do bounds checking.

I then wrote a client to send it a malicious string brute forcing guessed addresses which caused a return-to-libc to the function usleep with a parameter of 16m causing a delay of 16 seconds as laid out in [URL] Once I hit the delay I new I had found the function and could calculate delta_mmap allowing me to create a standard chained ret-to-libc attack. All of that works fine. However .... To complete my understanding I am trying establish where I can find the standard base address for ubuntu 9 (and other distros) for the following, taken from Shacham:-

Quote:

[code]....

/proc/uid/maps gives me some information but not the base address ldd also gives me the randomised starting address for sections in the user address space but neither gives me the base address. Intrestingly ... when a run ldd with aslr on for over (about) 100 times and checked the start point of libc I determined that the last 3 (least significant) hex digits were always 0's and the fist 4 (most significant) where between 0xB7D7 and 0xB7F9. To me this indicated that bits 22-31 were fixed and bits 12-21 were randomized with bits 11-0 fixed. Although even that doesnt define the boundaries observed correctly.

Note: I am replicating the attack to provide signatures to detect it using IDS, and for teaching purposes. I am NOT a hacker and if needed to could reply from my .ac.uk email address as verification.

View 1 Replies View Related

Ubuntu Security :: Restrict Users In 9 ?

Apr 14, 2010

I've installed Ubuntu Desktop Ed 9 and I want to add a user account that would be very restricted. I would only want them to access the internet and run several programs. I do not want them to have access to the destkop, anything under preferences, administration etc... Is this possible?

View 1 Replies View Related

General :: Restrict Device Ownership To Root Only / Why Is So?

Jul 6, 2011

NSA's Guide to the Secure Configuration of Red Hat Enterprise Linux 5 recommands restricting device ownership to root only.

So my question is why should we restrict device ownership to root? And what does device ownership mean anyway in Linux?

View 2 Replies View Related

Red Hat / Fedora :: Restrict Direct Root Login?

Feb 24, 2010

Eventhough users know the root credentials how to restrict them from direct login as root user. They can login as non root user first and then as root userthe material or provide some url for learning the perl script.

View 4 Replies View Related

General :: Restrict Root To SU To Normal User

Mar 11, 2010

Is there way we can restrict root to su to normal user. Or at least a way to prompt for the password when root tries to su <username>.

View 3 Replies View Related

Ubuntu Security :: Restrict SSH To Specific Source Ips?

Apr 7, 2010

I want to restrict SSH so that its only accessible via the machines I own on this network. Obviously need to secure user authentication/host authentication, that aside though is the following sufficient at a network level given technical users also use this network? IP addresses are static, though I know they could be spoofed.

Code:
Chain INPUT (policy DROP)
target prot opt source destination
existing-connections all -- anywhere anywhere
allowed all -- anywhere anywhere

[Code]....

View 4 Replies View Related

Ubuntu Security :: Restrict Thunder To A Certain Directory?

Aug 28, 2010

I have created my own custom ubuntu distro using the alternate installation cd and doing a command line install. I'm using ubuntu 10.04 as my base and am also using thunar as my file browser and am trying to create a secure desktop environment and to do that I'd like to restrict thunar to a certain partition. Is it possible to do that?

View 9 Replies View Related

Ubuntu Security :: How To Restrict Permission To Ssh User

Feb 26, 2011

I would like to allow a user to login through SSH but with differentpermission coming from different ipaddress.For example, a user "tester" login to SSH through 192.168.1.1 andanother user login with the same login id "tester" but from differentip 192.168.1.2.How do I restrict 192.168.1.2 to only allow for viewing the content inthe home directory while giving 192.168.1.1 full access?I got a suggestion from some oneApproach 1) Based on the ip you change the shell. If it's just for read only ajail would be fine.but how do I change shell based on IP?Approach 2) to have two ssh instances. Let's say port 22 and port 24. Port 22 isfor read only, while port 24 is for full accessso how can it be possible to give port 22 only read only access to SSH

View 1 Replies View Related

Ubuntu Security :: Using Apparmor To Restrict File Browser?

Sep 21, 2010

I am trying to use apparmor to restrict my file browser, which is Thunar to only let me view the files that are in the home directory and also removable media.I tried following the apparmor sticky with no success.I created the profile and tried editing it and it either started and let me do pretty much everything or did not start at all. Would it be possible for someone to help me step by step to set up a profile for thunar that would only show the home directory and removable media.

View 2 Replies View Related

Ubuntu Security :: Restrict Internet Access For Kids?

Jul 28, 2011

I'm running Natty and have made two logins on the system. One for myself and family and one for the kids (teens 14-15yr) to play in without Internet access via Admin "Users and Groups". I have hidden the Internet software icons on their screen amongst others i don't want them to see on the menus. On our screen I use a Firefox addon called "Web Of Trust" that can be configured easily for the kids and another addon called 'Blocksite' that I can selectively use for them and myself etc.

I have found out that they have still been able to get on to the net somehow under their login. Will have to observe again!! In the users settings for the kids the tick box for 'Internet'and 'use modem' access is un-ticked so I presumed that would be enough! Not so!!

View 8 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved