Block outgoing SSH connection from server
Clash Royale CLAN TAG#URR8PPP
up vote
0
down vote
favorite
Background
I got a service that connects to a third-party SFTP site to pull files. The third-party has a system that when certain users try to connect, it automatically blocks the incoming IP.
Someone is doing some connection attempts while using the forbidden user as due to be a legacy system, any user gets to the system as root. Whenever this individual tries the sftp root@remote-site he/she just breaks a couple of applications that rely on the same remote SFTP.
Question
Is there any way with SSH to block this outgoing connection for a specific user@site?
Match rule is for sshd_config which is basically incoming. Is there an equivalent for ssh client?
linux ssh
add a comment |Â
up vote
0
down vote
favorite
Background
I got a service that connects to a third-party SFTP site to pull files. The third-party has a system that when certain users try to connect, it automatically blocks the incoming IP.
Someone is doing some connection attempts while using the forbidden user as due to be a legacy system, any user gets to the system as root. Whenever this individual tries the sftp root@remote-site he/she just breaks a couple of applications that rely on the same remote SFTP.
Question
Is there any way with SSH to block this outgoing connection for a specific user@site?
Match rule is for sshd_config which is basically incoming. Is there an equivalent for ssh client?
linux ssh
use~user/.ssh/config
to redirect outgoingssh somehost
to 127.0.0.1. (I am not sure this will solve Y part of the XY-Problem)
â Archemar
Oct 1 at 11:48
add a comment |Â
up vote
0
down vote
favorite
up vote
0
down vote
favorite
Background
I got a service that connects to a third-party SFTP site to pull files. The third-party has a system that when certain users try to connect, it automatically blocks the incoming IP.
Someone is doing some connection attempts while using the forbidden user as due to be a legacy system, any user gets to the system as root. Whenever this individual tries the sftp root@remote-site he/she just breaks a couple of applications that rely on the same remote SFTP.
Question
Is there any way with SSH to block this outgoing connection for a specific user@site?
Match rule is for sshd_config which is basically incoming. Is there an equivalent for ssh client?
linux ssh
Background
I got a service that connects to a third-party SFTP site to pull files. The third-party has a system that when certain users try to connect, it automatically blocks the incoming IP.
Someone is doing some connection attempts while using the forbidden user as due to be a legacy system, any user gets to the system as root. Whenever this individual tries the sftp root@remote-site he/she just breaks a couple of applications that rely on the same remote SFTP.
Question
Is there any way with SSH to block this outgoing connection for a specific user@site?
Match rule is for sshd_config which is basically incoming. Is there an equivalent for ssh client?
linux ssh
linux ssh
asked Oct 1 at 11:29
BitsOfNix
4,05321531
4,05321531
use~user/.ssh/config
to redirect outgoingssh somehost
to 127.0.0.1. (I am not sure this will solve Y part of the XY-Problem)
â Archemar
Oct 1 at 11:48
add a comment |Â
use~user/.ssh/config
to redirect outgoingssh somehost
to 127.0.0.1. (I am not sure this will solve Y part of the XY-Problem)
â Archemar
Oct 1 at 11:48
use
~user/.ssh/config
to redirect outgoing ssh somehost
to 127.0.0.1. (I am not sure this will solve Y part of the XY-Problem)â Archemar
Oct 1 at 11:48
use
~user/.ssh/config
to redirect outgoing ssh somehost
to 127.0.0.1. (I am not sure this will solve Y part of the XY-Problem)â Archemar
Oct 1 at 11:48
add a comment |Â
3 Answers
3
active
oldest
votes
up vote
0
down vote
accepted
The Match rule for sshd_config works also for ssh_config, and in particular the global /etc/ssh/ssh_config
file which you can edit to contain:
Match host site user root
Hostname DontDoThat
This will replace the hostname when you do an ssh or sftp:
$ sftp root@site
Couldn't read packet: Connection reset by peer
$ sudo sftp site
ssh: Could not resolve hostname dontdothat: Name or service not known
Of course, the user's ~/.ssh/config
file can still override this setting.
You might want to log information about the person doing the sftp by adding to the Match line a call of a script (that must exit 0), eg exec "/bin/mylogger somearg..."
(don't use single quotes).
This is great. At least until we identify the user making the "malicious" outbound connection.
â BitsOfNix
Oct 2 at 13:59
add a comment |Â
up vote
4
down vote
You have to use iptable
, for example:
Block outgoing ssh
connection for 192.168.1.0/24 subnet
iptables -I OUTPUT -d 192.168.1.0/24 -p tcp --dport 22 -j REJECT
Then verify
ssh -v 192.168.1.6
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to 192.168.1.6 [192.168.1.6] port 22.
debug1: connect to address 192.168.1.6 port 22: **Connection refused**
ssh: connect to host 192.168.1.6 port 22: **Connection refused**
Thanks but this blocks all connectios. Not what I am looking for. If ssh is done with ssh root@remote-site it gets blocked. if ssh user1@remote-site needs to work. The suggested solution blocks all.
â BitsOfNix
Oct 2 at 6:03
@BitsOfNix "outgoing SSH connection from server" means block the whole connection! To block specific users. You can editssh_d config
and add any user name you want to block under DenyUsers. Just dosudo vi /etc/ssh/sshd_config
, then underDenyUsers
add the user name you want to block. Let's say you want to block user mark then addDenyUsers mark
. Let me know if this work or not so we can help further ;-)
â Goro
Oct 2 at 10:20
add a comment |Â
up vote
0
down vote
You can always allow outgoing SSH connection with iptables "user" module:
iptables -A OUTPUT -o eth0 -p tcp --destination-port 22 -m owner --uid-owner USERNAME -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --destination-port 22 -j DROP
This will block all outgoing ssh connections, but allow USERNAME to perform it.
add a comment |Â
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
0
down vote
accepted
The Match rule for sshd_config works also for ssh_config, and in particular the global /etc/ssh/ssh_config
file which you can edit to contain:
Match host site user root
Hostname DontDoThat
This will replace the hostname when you do an ssh or sftp:
$ sftp root@site
Couldn't read packet: Connection reset by peer
$ sudo sftp site
ssh: Could not resolve hostname dontdothat: Name or service not known
Of course, the user's ~/.ssh/config
file can still override this setting.
You might want to log information about the person doing the sftp by adding to the Match line a call of a script (that must exit 0), eg exec "/bin/mylogger somearg..."
(don't use single quotes).
This is great. At least until we identify the user making the "malicious" outbound connection.
â BitsOfNix
Oct 2 at 13:59
add a comment |Â
up vote
0
down vote
accepted
The Match rule for sshd_config works also for ssh_config, and in particular the global /etc/ssh/ssh_config
file which you can edit to contain:
Match host site user root
Hostname DontDoThat
This will replace the hostname when you do an ssh or sftp:
$ sftp root@site
Couldn't read packet: Connection reset by peer
$ sudo sftp site
ssh: Could not resolve hostname dontdothat: Name or service not known
Of course, the user's ~/.ssh/config
file can still override this setting.
You might want to log information about the person doing the sftp by adding to the Match line a call of a script (that must exit 0), eg exec "/bin/mylogger somearg..."
(don't use single quotes).
This is great. At least until we identify the user making the "malicious" outbound connection.
â BitsOfNix
Oct 2 at 13:59
add a comment |Â
up vote
0
down vote
accepted
up vote
0
down vote
accepted
The Match rule for sshd_config works also for ssh_config, and in particular the global /etc/ssh/ssh_config
file which you can edit to contain:
Match host site user root
Hostname DontDoThat
This will replace the hostname when you do an ssh or sftp:
$ sftp root@site
Couldn't read packet: Connection reset by peer
$ sudo sftp site
ssh: Could not resolve hostname dontdothat: Name or service not known
Of course, the user's ~/.ssh/config
file can still override this setting.
You might want to log information about the person doing the sftp by adding to the Match line a call of a script (that must exit 0), eg exec "/bin/mylogger somearg..."
(don't use single quotes).
The Match rule for sshd_config works also for ssh_config, and in particular the global /etc/ssh/ssh_config
file which you can edit to contain:
Match host site user root
Hostname DontDoThat
This will replace the hostname when you do an ssh or sftp:
$ sftp root@site
Couldn't read packet: Connection reset by peer
$ sudo sftp site
ssh: Could not resolve hostname dontdothat: Name or service not known
Of course, the user's ~/.ssh/config
file can still override this setting.
You might want to log information about the person doing the sftp by adding to the Match line a call of a script (that must exit 0), eg exec "/bin/mylogger somearg..."
(don't use single quotes).
answered Oct 2 at 8:05
meuh
30.3k11752
30.3k11752
This is great. At least until we identify the user making the "malicious" outbound connection.
â BitsOfNix
Oct 2 at 13:59
add a comment |Â
This is great. At least until we identify the user making the "malicious" outbound connection.
â BitsOfNix
Oct 2 at 13:59
This is great. At least until we identify the user making the "malicious" outbound connection.
â BitsOfNix
Oct 2 at 13:59
This is great. At least until we identify the user making the "malicious" outbound connection.
â BitsOfNix
Oct 2 at 13:59
add a comment |Â
up vote
4
down vote
You have to use iptable
, for example:
Block outgoing ssh
connection for 192.168.1.0/24 subnet
iptables -I OUTPUT -d 192.168.1.0/24 -p tcp --dport 22 -j REJECT
Then verify
ssh -v 192.168.1.6
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to 192.168.1.6 [192.168.1.6] port 22.
debug1: connect to address 192.168.1.6 port 22: **Connection refused**
ssh: connect to host 192.168.1.6 port 22: **Connection refused**
Thanks but this blocks all connectios. Not what I am looking for. If ssh is done with ssh root@remote-site it gets blocked. if ssh user1@remote-site needs to work. The suggested solution blocks all.
â BitsOfNix
Oct 2 at 6:03
@BitsOfNix "outgoing SSH connection from server" means block the whole connection! To block specific users. You can editssh_d config
and add any user name you want to block under DenyUsers. Just dosudo vi /etc/ssh/sshd_config
, then underDenyUsers
add the user name you want to block. Let's say you want to block user mark then addDenyUsers mark
. Let me know if this work or not so we can help further ;-)
â Goro
Oct 2 at 10:20
add a comment |Â
up vote
4
down vote
You have to use iptable
, for example:
Block outgoing ssh
connection for 192.168.1.0/24 subnet
iptables -I OUTPUT -d 192.168.1.0/24 -p tcp --dport 22 -j REJECT
Then verify
ssh -v 192.168.1.6
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to 192.168.1.6 [192.168.1.6] port 22.
debug1: connect to address 192.168.1.6 port 22: **Connection refused**
ssh: connect to host 192.168.1.6 port 22: **Connection refused**
Thanks but this blocks all connectios. Not what I am looking for. If ssh is done with ssh root@remote-site it gets blocked. if ssh user1@remote-site needs to work. The suggested solution blocks all.
â BitsOfNix
Oct 2 at 6:03
@BitsOfNix "outgoing SSH connection from server" means block the whole connection! To block specific users. You can editssh_d config
and add any user name you want to block under DenyUsers. Just dosudo vi /etc/ssh/sshd_config
, then underDenyUsers
add the user name you want to block. Let's say you want to block user mark then addDenyUsers mark
. Let me know if this work or not so we can help further ;-)
â Goro
Oct 2 at 10:20
add a comment |Â
up vote
4
down vote
up vote
4
down vote
You have to use iptable
, for example:
Block outgoing ssh
connection for 192.168.1.0/24 subnet
iptables -I OUTPUT -d 192.168.1.0/24 -p tcp --dport 22 -j REJECT
Then verify
ssh -v 192.168.1.6
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to 192.168.1.6 [192.168.1.6] port 22.
debug1: connect to address 192.168.1.6 port 22: **Connection refused**
ssh: connect to host 192.168.1.6 port 22: **Connection refused**
You have to use iptable
, for example:
Block outgoing ssh
connection for 192.168.1.0/24 subnet
iptables -I OUTPUT -d 192.168.1.0/24 -p tcp --dport 22 -j REJECT
Then verify
ssh -v 192.168.1.6
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to 192.168.1.6 [192.168.1.6] port 22.
debug1: connect to address 192.168.1.6 port 22: **Connection refused**
ssh: connect to host 192.168.1.6 port 22: **Connection refused**
answered Oct 1 at 11:58
Goro
7,02252965
7,02252965
Thanks but this blocks all connectios. Not what I am looking for. If ssh is done with ssh root@remote-site it gets blocked. if ssh user1@remote-site needs to work. The suggested solution blocks all.
â BitsOfNix
Oct 2 at 6:03
@BitsOfNix "outgoing SSH connection from server" means block the whole connection! To block specific users. You can editssh_d config
and add any user name you want to block under DenyUsers. Just dosudo vi /etc/ssh/sshd_config
, then underDenyUsers
add the user name you want to block. Let's say you want to block user mark then addDenyUsers mark
. Let me know if this work or not so we can help further ;-)
â Goro
Oct 2 at 10:20
add a comment |Â
Thanks but this blocks all connectios. Not what I am looking for. If ssh is done with ssh root@remote-site it gets blocked. if ssh user1@remote-site needs to work. The suggested solution blocks all.
â BitsOfNix
Oct 2 at 6:03
@BitsOfNix "outgoing SSH connection from server" means block the whole connection! To block specific users. You can editssh_d config
and add any user name you want to block under DenyUsers. Just dosudo vi /etc/ssh/sshd_config
, then underDenyUsers
add the user name you want to block. Let's say you want to block user mark then addDenyUsers mark
. Let me know if this work or not so we can help further ;-)
â Goro
Oct 2 at 10:20
Thanks but this blocks all connectios. Not what I am looking for. If ssh is done with ssh root@remote-site it gets blocked. if ssh user1@remote-site needs to work. The suggested solution blocks all.
â BitsOfNix
Oct 2 at 6:03
Thanks but this blocks all connectios. Not what I am looking for. If ssh is done with ssh root@remote-site it gets blocked. if ssh user1@remote-site needs to work. The suggested solution blocks all.
â BitsOfNix
Oct 2 at 6:03
@BitsOfNix "outgoing SSH connection from server" means block the whole connection! To block specific users. You can edit
ssh_d config
and add any user name you want to block under DenyUsers. Just do sudo vi /etc/ssh/sshd_config
, then under DenyUsers
add the user name you want to block. Let's say you want to block user mark then add DenyUsers mark
. Let me know if this work or not so we can help further ;-)â Goro
Oct 2 at 10:20
@BitsOfNix "outgoing SSH connection from server" means block the whole connection! To block specific users. You can edit
ssh_d config
and add any user name you want to block under DenyUsers. Just do sudo vi /etc/ssh/sshd_config
, then under DenyUsers
add the user name you want to block. Let's say you want to block user mark then add DenyUsers mark
. Let me know if this work or not so we can help further ;-)â Goro
Oct 2 at 10:20
add a comment |Â
up vote
0
down vote
You can always allow outgoing SSH connection with iptables "user" module:
iptables -A OUTPUT -o eth0 -p tcp --destination-port 22 -m owner --uid-owner USERNAME -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --destination-port 22 -j DROP
This will block all outgoing ssh connections, but allow USERNAME to perform it.
add a comment |Â
up vote
0
down vote
You can always allow outgoing SSH connection with iptables "user" module:
iptables -A OUTPUT -o eth0 -p tcp --destination-port 22 -m owner --uid-owner USERNAME -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --destination-port 22 -j DROP
This will block all outgoing ssh connections, but allow USERNAME to perform it.
add a comment |Â
up vote
0
down vote
up vote
0
down vote
You can always allow outgoing SSH connection with iptables "user" module:
iptables -A OUTPUT -o eth0 -p tcp --destination-port 22 -m owner --uid-owner USERNAME -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --destination-port 22 -j DROP
This will block all outgoing ssh connections, but allow USERNAME to perform it.
You can always allow outgoing SSH connection with iptables "user" module:
iptables -A OUTPUT -o eth0 -p tcp --destination-port 22 -m owner --uid-owner USERNAME -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --destination-port 22 -j DROP
This will block all outgoing ssh connections, but allow USERNAME to perform it.
answered Oct 2 at 8:37
Alexander
86413
86413
add a comment |Â
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f472554%2fblock-outgoing-ssh-connection-from-server%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
use
~user/.ssh/config
to redirect outgoingssh somehost
to 127.0.0.1. (I am not sure this will solve Y part of the XY-Problem)â Archemar
Oct 1 at 11:48