 |
|
| Linux Forum Index » Linux - Red Hat Forum » Restrict user access to ethX interface... |
|
Page 1 of 1 |
|
| Author |
Message |
| Michael... |
 Posted: Thu Aug 27, 2009 12:30 pm |
|
|
|
Guest
|
Hi all,
I have been searching for a way to restrict users' access to specific
ethernet devices. We have a couple of consultant users who have ssh
access to one host, but I would like to prevent them from using the
eth1 LAN interface. Is this possible? Since there's no device file
in /dev I can't change permissions or ownership.
Thanks,
--
Michael |
|
|
| Back to top |
|
|
|
| Johnny Rebel... |
| Posted: Thu Aug 27, 2009 6:01 pm |
|
|
|
Guest
|
Michael wrote:
Quote: Hi all,
I have been searching for a way to restrict users' access to specific
ethernet devices. We have a couple of consultant users who have ssh
access to one host, but I would like to prevent them from using the
eth1 LAN interface. Is this possible? Since there's no device file
in /dev I can't change permissions or ownership.
Thanks,
Not sure on the situation of things - but any chance you could do an
iptables block by MAC or IP? If they are on your corporate network,
this could be a solution if they don't change around. I personally
don't know a way to do it by user unless you put something in
/etc/profile that pops an iptable rule in from the address they are
coming from - don't forget to take it out when they logout or exit -
this can of course be problematic with disconnected sessions.
JR.
--
--> GNU/Linux is user friendly... it's just picky about its friends. |
|
|
| Back to top |
|
|
|
| Michael... |
| Posted: Fri Aug 28, 2009 8:07 am |
|
|
|
Guest
|
On Thu, 27 Aug 2009 20:01:28 -0400
Johnny Rebel <rebel at (no spam) none.com> wrote:
Quote: Michael wrote:
Hi all,
I have been searching for a way to restrict users' access to specific
ethernet devices. We have a couple of consultant users who have ssh
access to one host, but I would like to prevent them from using the
eth1 LAN interface. Is this possible? Since there's no device file
in /dev I can't change permissions or ownership.
Thanks,
Not sure on the situation of things - but any chance you could do an
iptables block by MAC or IP? If they are on your corporate network,
this could be a solution if they don't change around. I personally
don't know a way to do it by user unless you put something in
/etc/profile that pops an iptable rule in from the address they are
coming from - don't forget to take it out when they logout or exit -
this can of course be problematic with disconnected sessions.
Thanks, I'll give this some thought. I haven't completely decided if
blocking the internal NIC is even necessary, since none of the
machines on the LAN accept commands over ssh without a root pw. In
other words, I don't truly treat the LAN as trusted.
--
Michael |
|
|
| Back to top |
|
|
|
| Michael... |
| Posted: Fri Aug 28, 2009 2:59 pm |
|
|
|
Guest
|
Quote: What did you put into their contract - the practical way would be to
have terms/conditions/etc. that they should follow. If you don't trust
them, or they break the contract, then fire them. Computer firewall
rules don't replace common sense or legal agreements.
I was not involved in writing the contract; I was required to give
user-level access to individuals hired by another group under the
same funding as my group. I don't distrust them, but I maintain
mostly restrictive access policies, blocking everything that isn't
absolutely required.
Quote: owner
This module attempts to match various characteristics of the
packet creator, for locally-generated packets. It is only valid
in the OUTPUT chain, and even then some packets (such as ICMP
ping responses) may have no owner, and hence never match.
--uid-owner userid
Matches if the packet was created by a process with the given
effective (numerical) user id.
**snip**
I'll look into this. It will probably work for my needs. Thanks.
--
Michael |
|
|
| Back to top |
|
|
|
| Johnny Rebel... |
| Posted: Fri Aug 28, 2009 5:53 pm |
|
|
|
Guest
|
Michael wrote:
Quote: On Thu, 27 Aug 2009 20:01:28 -0400
Johnny Rebel <rebel at (no spam) none.com> wrote:
Michael wrote:
Hi all,
I have been searching for a way to restrict users' access to specific
ethernet devices. We have a couple of consultant users who have ssh
access to one host, but I would like to prevent them from using the
eth1 LAN interface. Is this possible? Since there's no device file
in /dev I can't change permissions or ownership.
Thanks,
Not sure on the situation of things - but any chance you could do an
iptables block by MAC or IP? If they are on your corporate network,
this could be a solution if they don't change around. I personally
don't know a way to do it by user unless you put something in
/etc/profile that pops an iptable rule in from the address they are
coming from - don't forget to take it out when they logout or exit -
this can of course be problematic with disconnected sessions.
Thanks, I'll give this some thought. I haven't completely decided if
blocking the internal NIC is even necessary, since none of the
machines on the LAN accept commands over ssh without a root pw. In
other words, I don't truly treat the LAN as trusted.
You let root log in directly?  Maybe if you describe the scenario a
little more, someone will have better ideas? Maybe a squid proxy with
authentication would be more appropriate. Guess it depends on why and
what you are blocking (what as in protocols - obviously you are trying
to block specific users).
JR.
--
--> GNU/Linux is user friendly... it's just picky about its friends. |
|
|
| Back to top |
|
|
|
|
|
All times are GMT - 5 Hours
The time now is Thu Dec 03, 2009 6:52 am
|
|