Block outgoing SSH connection from server
Clash Royale CLAN TAG#URR8PPP
up vote
0
down vote
favorite
Background
I got a service that connects to a third-party SFTP site to pull files. The third-party has a system that when certain users try to connect, it automatically blocks the incoming IP.
Someone is doing some connection attempts while using the forbidden user as due to be a legacy system, any user gets to the system as root. Whenever this individual tries the sftp root@remote-site he/she just breaks a couple of applications that rely on the same remote SFTP.
Question
Is there any way with SSH to block this outgoing connection for a specific user@site?
Match rule is for sshd_config which is basically incoming. Is there an equivalent for ssh client?
linux ssh
asked Oct 1 at 11:29
BitsOfNix
4,05321531
add a comment |Â
up vote
0
down vote
favorite
Background
I got a service that connects to a third-party SFTP site to pull files. The third-party has a system that when certain users try to connect, it automatically blocks the incoming IP.
Someone is doing some connection attempts while using the forbidden user as due to be a legacy system, any user gets to the system as root. Whenever this individual tries the sftp root@remote-site he/she just breaks a couple of applications that rely on the same remote SFTP.
Question
Is there any way with SSH to block this outgoing connection for a specific user@site?
Match rule is for sshd_config which is basically incoming. Is there an equivalent for ssh client?
linux ssh
asked Oct 1 at 11:29
BitsOfNix
4,05321531
use~user/.ssh/configto redirect outgoingssh somehostto 127.0.0.1. (I am not sure this will solve Y part of the XY-Problem)
– Archemar
Oct 1 at 11:48
add a comment |Â
up vote
0
down vote
favorite
up vote
0
down vote
favorite
Background
I got a service that connects to a third-party SFTP site to pull files. The third-party has a system that when certain users try to connect, it automatically blocks the incoming IP.
Someone is doing some connection attempts while using the forbidden user as due to be a legacy system, any user gets to the system as root. Whenever this individual tries the sftp root@remote-site he/she just breaks a couple of applications that rely on the same remote SFTP.
Question
Is there any way with SSH to block this outgoing connection for a specific user@site?
Match rule is for sshd_config which is basically incoming. Is there an equivalent for ssh client?
linux ssh
asked Oct 1 at 11:29
BitsOfNix
4,05321531
Background
I got a service that connects to a third-party SFTP site to pull files. The third-party has a system that when certain users try to connect, it automatically blocks the incoming IP.
Someone is doing some connection attempts while using the forbidden user as due to be a legacy system, any user gets to the system as root. Whenever this individual tries the sftp root@remote-site he/she just breaks a couple of applications that rely on the same remote SFTP.
Question
Is there any way with SSH to block this outgoing connection for a specific user@site?
Match rule is for sshd_config which is basically incoming. Is there an equivalent for ssh client?
linux ssh
linux ssh
asked Oct 1 at 11:29
BitsOfNix
4,05321531
asked Oct 1 at 11:29
BitsOfNix
4,05321531
asked Oct 1 at 11:29
BitsOfNix
4,05321531
asked Oct 1 at 11:29
BitsOfNix
4,05321531
asked Oct 1 at 11:29
BitsOfNix
4,05321531
4,05321531
use~user/.ssh/configto redirect outgoingssh somehostto 127.0.0.1. (I am not sure this will solve Y part of the XY-Problem)
– Archemar
Oct 1 at 11:48
add a comment |Â
use~user/.ssh/configto redirect outgoingssh somehostto 127.0.0.1. (I am not sure this will solve Y part of the XY-Problem)
– Archemar
Oct 1 at 11:48
use
~user/.ssh/config to redirect outgoing ssh somehost to 127.0.0.1. (I am not sure this will solve Y part of the XY-Problem)– Archemar
Oct 1 at 11:48
use
~user/.ssh/config to redirect outgoing ssh somehost to 127.0.0.1. (I am not sure this will solve Y part of the XY-Problem)– Archemar
Oct 1 at 11:48
add a comment |Â
3 Answers
3
active
oldest
votes
up vote
0
down vote
accepted
The Match rule for sshd_config works also for ssh_config, and in particular the global /etc/ssh/ssh_config file which you can edit to contain:
Match host site user root
Hostname DontDoThat
This will replace the hostname when you do an ssh or sftp:
$ sftp root@site
Couldn't read packet: Connection reset by peer
$ sudo sftp site
ssh: Could not resolve hostname dontdothat: Name or service not known
Of course, the user's ~/.ssh/config file can still override this setting.
You might want to log information about the person doing the sftp by adding to the Match line a call of a script (that must exit 0), eg exec "/bin/mylogger somearg..." (don't use single quotes).
answered Oct 2 at 8:05
meuh
30.3k11752
This is great. At least until we identify the user making the "malicious" outbound connection.
– BitsOfNix
Oct 2 at 13:59
add a comment |Â
up vote
4
down vote
You have to use iptable, for example:
Block outgoing ssh connection for 192.168.1.0/24 subnet
iptables -I OUTPUT -d 192.168.1.0/24 -p tcp --dport 22 -j REJECT
Then verify
ssh -v 192.168.1.6
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to 192.168.1.6 [192.168.1.6] port 22.
debug1: connect to address 192.168.1.6 port 22: **Connection refused**
ssh: connect to host 192.168.1.6 port 22: **Connection refused**
answered Oct 1 at 11:58
Goro
7,02252965
Thanks but this blocks all connectios. Not what I am looking for. If ssh is done with ssh root@remote-site it gets blocked. if ssh user1@remote-site needs to work. The suggested solution blocks all.
– BitsOfNix
Oct 2 at 6:03
@BitsOfNix "outgoing SSH connection from server" means block the whole connection! To block specific users. You can editssh_d configand add any user name you want to block under DenyUsers. Just dosudo vi /etc/ssh/sshd_config, then underDenyUsersadd the user name you want to block. Let's say you want to block user mark then addDenyUsers mark. Let me know if this work or not so we can help further ;-)
– Goro
Oct 2 at 10:20
add a comment |Â
up vote
0
down vote
You can always allow outgoing SSH connection with iptables "user" module:
iptables -A OUTPUT -o eth0 -p tcp --destination-port 22 -m owner --uid-owner USERNAME -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --destination-port 22 -j DROP
This will block all outgoing ssh connections, but allow USERNAME to perform it.
answered Oct 2 at 8:37
Alexander
86413
add a comment |Â
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
0
down vote
accepted
The Match rule for sshd_config works also for ssh_config, and in particular the global /etc/ssh/ssh_config file which you can edit to contain:
Match host site user root
Hostname DontDoThat
This will replace the hostname when you do an ssh or sftp:
$ sftp root@site
Couldn't read packet: Connection reset by peer
$ sudo sftp site
ssh: Could not resolve hostname dontdothat: Name or service not known
Of course, the user's ~/.ssh/config file can still override this setting.
You might want to log information about the person doing the sftp by adding to the Match line a call of a script (that must exit 0), eg exec "/bin/mylogger somearg..." (don't use single quotes).
answered Oct 2 at 8:05
meuh
30.3k11752
This is great. At least until we identify the user making the "malicious" outbound connection.
– BitsOfNix
Oct 2 at 13:59
add a comment |Â
up vote
0
down vote
accepted
The Match rule for sshd_config works also for ssh_config, and in particular the global /etc/ssh/ssh_config file which you can edit to contain:
Match host site user root
Hostname DontDoThat
This will replace the hostname when you do an ssh or sftp:
$ sftp root@site
Couldn't read packet: Connection reset by peer
$ sudo sftp site
ssh: Could not resolve hostname dontdothat: Name or service not known
Of course, the user's ~/.ssh/config file can still override this setting.
You might want to log information about the person doing the sftp by adding to the Match line a call of a script (that must exit 0), eg exec "/bin/mylogger somearg..." (don't use single quotes).
answered Oct 2 at 8:05
meuh
30.3k11752
This is great. At least until we identify the user making the "malicious" outbound connection.
– BitsOfNix
Oct 2 at 13:59
add a comment |Â
up vote
0
down vote
accepted
up vote
0
down vote
accepted
The Match rule for sshd_config works also for ssh_config, and in particular the global /etc/ssh/ssh_config file which you can edit to contain:
Match host site user root
Hostname DontDoThat
This will replace the hostname when you do an ssh or sftp:
$ sftp root@site
Couldn't read packet: Connection reset by peer
$ sudo sftp site
ssh: Could not resolve hostname dontdothat: Name or service not known
Of course, the user's ~/.ssh/config file can still override this setting.
You might want to log information about the person doing the sftp by adding to the Match line a call of a script (that must exit 0), eg exec "/bin/mylogger somearg..." (don't use single quotes).
answered Oct 2 at 8:05
meuh
30.3k11752
The Match rule for sshd_config works also for ssh_config, and in particular the global /etc/ssh/ssh_config file which you can edit to contain:
Match host site user root
Hostname DontDoThat
This will replace the hostname when you do an ssh or sftp:
$ sftp root@site
Couldn't read packet: Connection reset by peer
$ sudo sftp site
ssh: Could not resolve hostname dontdothat: Name or service not known
Of course, the user's ~/.ssh/config file can still override this setting.
You might want to log information about the person doing the sftp by adding to the Match line a call of a script (that must exit 0), eg exec "/bin/mylogger somearg..." (don't use single quotes).
answered Oct 2 at 8:05
meuh
30.3k11752
answered Oct 2 at 8:05
meuh
30.3k11752
answered Oct 2 at 8:05
meuh
30.3k11752
answered Oct 2 at 8:05
meuh
30.3k11752
30.3k11752
This is great. At least until we identify the user making the "malicious" outbound connection.
– BitsOfNix
Oct 2 at 13:59
add a comment |Â
This is great. At least until we identify the user making the "malicious" outbound connection.
– BitsOfNix
Oct 2 at 13:59
This is great. At least until we identify the user making the "malicious" outbound connection.
– BitsOfNix
Oct 2 at 13:59
This is great. At least until we identify the user making the "malicious" outbound connection.
– BitsOfNix
Oct 2 at 13:59
add a comment |Â
up vote
4
down vote
You have to use iptable, for example:
Block outgoing ssh connection for 192.168.1.0/24 subnet
iptables -I OUTPUT -d 192.168.1.0/24 -p tcp --dport 22 -j REJECT
Then verify
ssh -v 192.168.1.6
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to 192.168.1.6 [192.168.1.6] port 22.
debug1: connect to address 192.168.1.6 port 22: **Connection refused**
ssh: connect to host 192.168.1.6 port 22: **Connection refused**
answered Oct 1 at 11:58
Goro
7,02252965
Thanks but this blocks all connectios. Not what I am looking for. If ssh is done with ssh root@remote-site it gets blocked. if ssh user1@remote-site needs to work. The suggested solution blocks all.
– BitsOfNix
Oct 2 at 6:03
@BitsOfNix "outgoing SSH connection from server" means block the whole connection! To block specific users. You can editssh_d configand add any user name you want to block under DenyUsers. Just dosudo vi /etc/ssh/sshd_config, then underDenyUsersadd the user name you want to block. Let's say you want to block user mark then addDenyUsers mark. Let me know if this work or not so we can help further ;-)
– Goro
Oct 2 at 10:20
add a comment |Â
up vote
4
down vote
You have to use iptable, for example:
Block outgoing ssh connection for 192.168.1.0/24 subnet
iptables -I OUTPUT -d 192.168.1.0/24 -p tcp --dport 22 -j REJECT
Then verify
ssh -v 192.168.1.6
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to 192.168.1.6 [192.168.1.6] port 22.
debug1: connect to address 192.168.1.6 port 22: **Connection refused**
ssh: connect to host 192.168.1.6 port 22: **Connection refused**
answered Oct 1 at 11:58
Goro
7,02252965
Thanks but this blocks all connectios. Not what I am looking for. If ssh is done with ssh root@remote-site it gets blocked. if ssh user1@remote-site needs to work. The suggested solution blocks all.
– BitsOfNix
Oct 2 at 6:03
@BitsOfNix "outgoing SSH connection from server" means block the whole connection! To block specific users. You can editssh_d configand add any user name you want to block under DenyUsers. Just dosudo vi /etc/ssh/sshd_config, then underDenyUsersadd the user name you want to block. Let's say you want to block user mark then addDenyUsers mark. Let me know if this work or not so we can help further ;-)
– Goro
Oct 2 at 10:20
add a comment |Â
up vote
4
down vote
up vote
4
down vote
You have to use iptable, for example:
Block outgoing ssh connection for 192.168.1.0/24 subnet
iptables -I OUTPUT -d 192.168.1.0/24 -p tcp --dport 22 -j REJECT
Then verify
ssh -v 192.168.1.6
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to 192.168.1.6 [192.168.1.6] port 22.
debug1: connect to address 192.168.1.6 port 22: **Connection refused**
ssh: connect to host 192.168.1.6 port 22: **Connection refused**
answered Oct 1 at 11:58
Goro
7,02252965
You have to use iptable, for example:
Block outgoing ssh connection for 192.168.1.0/24 subnet
iptables -I OUTPUT -d 192.168.1.0/24 -p tcp --dport 22 -j REJECT
Then verify
ssh -v 192.168.1.6
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to 192.168.1.6 [192.168.1.6] port 22.
debug1: connect to address 192.168.1.6 port 22: **Connection refused**
ssh: connect to host 192.168.1.6 port 22: **Connection refused**
answered Oct 1 at 11:58
Goro
7,02252965
answered Oct 1 at 11:58
Goro
7,02252965
answered Oct 1 at 11:58
Goro
7,02252965
answered Oct 1 at 11:58
Goro
7,02252965
7,02252965
Thanks but this blocks all connectios. Not what I am looking for. If ssh is done with ssh root@remote-site it gets blocked. if ssh user1@remote-site needs to work. The suggested solution blocks all.
– BitsOfNix
Oct 2 at 6:03
@BitsOfNix "outgoing SSH connection from server" means block the whole connection! To block specific users. You can editssh_d configand add any user name you want to block under DenyUsers. Just dosudo vi /etc/ssh/sshd_config, then underDenyUsersadd the user name you want to block. Let's say you want to block user mark then addDenyUsers mark. Let me know if this work or not so we can help further ;-)
– Goro
Oct 2 at 10:20
add a comment |Â
Thanks but this blocks all connectios. Not what I am looking for. If ssh is done with ssh root@remote-site it gets blocked. if ssh user1@remote-site needs to work. The suggested solution blocks all.
– BitsOfNix
Oct 2 at 6:03
@BitsOfNix "outgoing SSH connection from server" means block the whole connection! To block specific users. You can editssh_d configand add any user name you want to block under DenyUsers. Just dosudo vi /etc/ssh/sshd_config, then underDenyUsersadd the user name you want to block. Let's say you want to block user mark then addDenyUsers mark. Let me know if this work or not so we can help further ;-)
– Goro
Oct 2 at 10:20
Thanks but this blocks all connectios. Not what I am looking for. If ssh is done with ssh root@remote-site it gets blocked. if ssh user1@remote-site needs to work. The suggested solution blocks all.
– BitsOfNix
Oct 2 at 6:03
Thanks but this blocks all connectios. Not what I am looking for. If ssh is done with ssh root@remote-site it gets blocked. if ssh user1@remote-site needs to work. The suggested solution blocks all.
– BitsOfNix
Oct 2 at 6:03
@BitsOfNix "outgoing SSH connection from server" means block the whole connection! To block specific users. You can edit
ssh_d config and add any user name you want to block under DenyUsers. Just do sudo vi /etc/ssh/sshd_config, then under DenyUsers add the user name you want to block. Let's say you want to block user mark then add DenyUsers mark. Let me know if this work or not so we can help further ;-)– Goro
Oct 2 at 10:20
@BitsOfNix "outgoing SSH connection from server" means block the whole connection! To block specific users. You can edit
ssh_d config and add any user name you want to block under DenyUsers. Just do sudo vi /etc/ssh/sshd_config, then under DenyUsers add the user name you want to block. Let's say you want to block user mark then add DenyUsers mark. Let me know if this work or not so we can help further ;-)– Goro
Oct 2 at 10:20
add a comment |Â
up vote
0
down vote
You can always allow outgoing SSH connection with iptables "user" module:
iptables -A OUTPUT -o eth0 -p tcp --destination-port 22 -m owner --uid-owner USERNAME -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --destination-port 22 -j DROP
This will block all outgoing ssh connections, but allow USERNAME to perform it.
answered Oct 2 at 8:37
Alexander
86413
add a comment |Â
up vote
0
down vote
You can always allow outgoing SSH connection with iptables "user" module:
iptables -A OUTPUT -o eth0 -p tcp --destination-port 22 -m owner --uid-owner USERNAME -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --destination-port 22 -j DROP
This will block all outgoing ssh connections, but allow USERNAME to perform it.
answered Oct 2 at 8:37
Alexander
86413
add a comment |Â
up vote
0
down vote
up vote
0
down vote
You can always allow outgoing SSH connection with iptables "user" module:
iptables -A OUTPUT -o eth0 -p tcp --destination-port 22 -m owner --uid-owner USERNAME -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --destination-port 22 -j DROP
This will block all outgoing ssh connections, but allow USERNAME to perform it.
answered Oct 2 at 8:37
Alexander
86413
You can always allow outgoing SSH connection with iptables "user" module:
iptables -A OUTPUT -o eth0 -p tcp --destination-port 22 -m owner --uid-owner USERNAME -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --destination-port 22 -j DROP
This will block all outgoing ssh connections, but allow USERNAME to perform it.
answered Oct 2 at 8:37
Alexander
86413
answered Oct 2 at 8:37
Alexander
86413
answered Oct 2 at 8:37
Alexander
86413
answered Oct 2 at 8:37
Alexander
86413
86413
add a comment |Â
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f472554%2fblock-outgoing-ssh-connection-from-server%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
use
~user/.ssh/configto redirect outgoingssh somehostto 127.0.0.1. (I am not sure this will solve Y part of the XY-Problem)– Archemar
Oct 1 at 11:48