Block outgoing SSH connection from server

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
0
down vote

favorite












Background



I got a service that connects to a third-party SFTP site to pull files. The third-party has a system that when certain users try to connect, it automatically blocks the incoming IP.
Someone is doing some connection attempts while using the forbidden user as due to be a legacy system, any user gets to the system as root. Whenever this individual tries the sftp root@remote-site he/she just breaks a couple of applications that rely on the same remote SFTP.



Question
Is there any way with SSH to block this outgoing connection for a specific user@site?
Match rule is for sshd_config which is basically incoming. Is there an equivalent for ssh client?










share|improve this question





















  • use ~user/.ssh/config to redirect outgoing ssh somehost to 127.0.0.1. (I am not sure this will solve Y part of the XY-Problem)
    – Archemar
    Oct 1 at 11:48














up vote
0
down vote

favorite












Background



I got a service that connects to a third-party SFTP site to pull files. The third-party has a system that when certain users try to connect, it automatically blocks the incoming IP.
Someone is doing some connection attempts while using the forbidden user as due to be a legacy system, any user gets to the system as root. Whenever this individual tries the sftp root@remote-site he/she just breaks a couple of applications that rely on the same remote SFTP.



Question
Is there any way with SSH to block this outgoing connection for a specific user@site?
Match rule is for sshd_config which is basically incoming. Is there an equivalent for ssh client?










share|improve this question





















  • use ~user/.ssh/config to redirect outgoing ssh somehost to 127.0.0.1. (I am not sure this will solve Y part of the XY-Problem)
    – Archemar
    Oct 1 at 11:48












up vote
0
down vote

favorite









up vote
0
down vote

favorite











Background



I got a service that connects to a third-party SFTP site to pull files. The third-party has a system that when certain users try to connect, it automatically blocks the incoming IP.
Someone is doing some connection attempts while using the forbidden user as due to be a legacy system, any user gets to the system as root. Whenever this individual tries the sftp root@remote-site he/she just breaks a couple of applications that rely on the same remote SFTP.



Question
Is there any way with SSH to block this outgoing connection for a specific user@site?
Match rule is for sshd_config which is basically incoming. Is there an equivalent for ssh client?










share|improve this question













Background



I got a service that connects to a third-party SFTP site to pull files. The third-party has a system that when certain users try to connect, it automatically blocks the incoming IP.
Someone is doing some connection attempts while using the forbidden user as due to be a legacy system, any user gets to the system as root. Whenever this individual tries the sftp root@remote-site he/she just breaks a couple of applications that rely on the same remote SFTP.



Question
Is there any way with SSH to block this outgoing connection for a specific user@site?
Match rule is for sshd_config which is basically incoming. Is there an equivalent for ssh client?







linux ssh






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Oct 1 at 11:29









BitsOfNix

4,05321531




4,05321531











  • use ~user/.ssh/config to redirect outgoing ssh somehost to 127.0.0.1. (I am not sure this will solve Y part of the XY-Problem)
    – Archemar
    Oct 1 at 11:48
















  • use ~user/.ssh/config to redirect outgoing ssh somehost to 127.0.0.1. (I am not sure this will solve Y part of the XY-Problem)
    – Archemar
    Oct 1 at 11:48















use ~user/.ssh/config to redirect outgoing ssh somehost to 127.0.0.1. (I am not sure this will solve Y part of the XY-Problem)
– Archemar
Oct 1 at 11:48




use ~user/.ssh/config to redirect outgoing ssh somehost to 127.0.0.1. (I am not sure this will solve Y part of the XY-Problem)
– Archemar
Oct 1 at 11:48










3 Answers
3






active

oldest

votes

















up vote
0
down vote



accepted










The Match rule for sshd_config works also for ssh_config, and in particular the global /etc/ssh/ssh_config file which you can edit to contain:



Match host site user root
Hostname DontDoThat


This will replace the hostname when you do an ssh or sftp:



$ sftp root@site
Couldn't read packet: Connection reset by peer

$ sudo sftp site
ssh: Could not resolve hostname dontdothat: Name or service not known


Of course, the user's ~/.ssh/config file can still override this setting.



You might want to log information about the person doing the sftp by adding to the Match line a call of a script (that must exit 0), eg exec "/bin/mylogger somearg..." (don't use single quotes).






share|improve this answer




















  • This is great. At least until we identify the user making the "malicious" outbound connection.
    – BitsOfNix
    Oct 2 at 13:59

















up vote
4
down vote













You have to use iptable, for example:



Block outgoing ssh connection for 192.168.1.0/24 subnet



 iptables -I OUTPUT -d 192.168.1.0/24 -p tcp --dport 22 -j REJECT


Then verify



ssh -v 192.168.1.6
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to 192.168.1.6 [192.168.1.6] port 22.
debug1: connect to address 192.168.1.6 port 22: **Connection refused**
ssh: connect to host 192.168.1.6 port 22: **Connection refused**





share|improve this answer




















  • Thanks but this blocks all connectios. Not what I am looking for. If ssh is done with ssh root@remote-site it gets blocked. if ssh user1@remote-site needs to work. The suggested solution blocks all.
    – BitsOfNix
    Oct 2 at 6:03










  • @BitsOfNix "outgoing SSH connection from server" means block the whole connection! To block specific users. You can edit ssh_d config and add any user name you want to block under DenyUsers. Just do sudo vi /etc/ssh/sshd_config, then under DenyUsers add the user name you want to block. Let's say you want to block user mark then add DenyUsers mark. Let me know if this work or not so we can help further ;-)
    – Goro
    Oct 2 at 10:20


















up vote
0
down vote













You can always allow outgoing SSH connection with iptables "user" module:



iptables -A OUTPUT -o eth0 -p tcp --destination-port 22 -m owner --uid-owner USERNAME -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --destination-port 22 -j DROP


This will block all outgoing ssh connections, but allow USERNAME to perform it.






share|improve this answer




















    Your Answer







    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "106"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    convertImagesToLinks: false,
    noModals: false,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );













     

    draft saved


    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f472554%2fblock-outgoing-ssh-connection-from-server%23new-answer', 'question_page');

    );

    Post as a guest






























    3 Answers
    3






    active

    oldest

    votes








    3 Answers
    3






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes








    up vote
    0
    down vote



    accepted










    The Match rule for sshd_config works also for ssh_config, and in particular the global /etc/ssh/ssh_config file which you can edit to contain:



    Match host site user root
    Hostname DontDoThat


    This will replace the hostname when you do an ssh or sftp:



    $ sftp root@site
    Couldn't read packet: Connection reset by peer

    $ sudo sftp site
    ssh: Could not resolve hostname dontdothat: Name or service not known


    Of course, the user's ~/.ssh/config file can still override this setting.



    You might want to log information about the person doing the sftp by adding to the Match line a call of a script (that must exit 0), eg exec "/bin/mylogger somearg..." (don't use single quotes).






    share|improve this answer




















    • This is great. At least until we identify the user making the "malicious" outbound connection.
      – BitsOfNix
      Oct 2 at 13:59














    up vote
    0
    down vote



    accepted










    The Match rule for sshd_config works also for ssh_config, and in particular the global /etc/ssh/ssh_config file which you can edit to contain:



    Match host site user root
    Hostname DontDoThat


    This will replace the hostname when you do an ssh or sftp:



    $ sftp root@site
    Couldn't read packet: Connection reset by peer

    $ sudo sftp site
    ssh: Could not resolve hostname dontdothat: Name or service not known


    Of course, the user's ~/.ssh/config file can still override this setting.



    You might want to log information about the person doing the sftp by adding to the Match line a call of a script (that must exit 0), eg exec "/bin/mylogger somearg..." (don't use single quotes).






    share|improve this answer




















    • This is great. At least until we identify the user making the "malicious" outbound connection.
      – BitsOfNix
      Oct 2 at 13:59












    up vote
    0
    down vote



    accepted







    up vote
    0
    down vote



    accepted






    The Match rule for sshd_config works also for ssh_config, and in particular the global /etc/ssh/ssh_config file which you can edit to contain:



    Match host site user root
    Hostname DontDoThat


    This will replace the hostname when you do an ssh or sftp:



    $ sftp root@site
    Couldn't read packet: Connection reset by peer

    $ sudo sftp site
    ssh: Could not resolve hostname dontdothat: Name or service not known


    Of course, the user's ~/.ssh/config file can still override this setting.



    You might want to log information about the person doing the sftp by adding to the Match line a call of a script (that must exit 0), eg exec "/bin/mylogger somearg..." (don't use single quotes).






    share|improve this answer












    The Match rule for sshd_config works also for ssh_config, and in particular the global /etc/ssh/ssh_config file which you can edit to contain:



    Match host site user root
    Hostname DontDoThat


    This will replace the hostname when you do an ssh or sftp:



    $ sftp root@site
    Couldn't read packet: Connection reset by peer

    $ sudo sftp site
    ssh: Could not resolve hostname dontdothat: Name or service not known


    Of course, the user's ~/.ssh/config file can still override this setting.



    You might want to log information about the person doing the sftp by adding to the Match line a call of a script (that must exit 0), eg exec "/bin/mylogger somearg..." (don't use single quotes).







    share|improve this answer












    share|improve this answer



    share|improve this answer










    answered Oct 2 at 8:05









    meuh

    30.3k11752




    30.3k11752











    • This is great. At least until we identify the user making the "malicious" outbound connection.
      – BitsOfNix
      Oct 2 at 13:59
















    • This is great. At least until we identify the user making the "malicious" outbound connection.
      – BitsOfNix
      Oct 2 at 13:59















    This is great. At least until we identify the user making the "malicious" outbound connection.
    – BitsOfNix
    Oct 2 at 13:59




    This is great. At least until we identify the user making the "malicious" outbound connection.
    – BitsOfNix
    Oct 2 at 13:59












    up vote
    4
    down vote













    You have to use iptable, for example:



    Block outgoing ssh connection for 192.168.1.0/24 subnet



     iptables -I OUTPUT -d 192.168.1.0/24 -p tcp --dport 22 -j REJECT


    Then verify



    ssh -v 192.168.1.6
    OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
    debug1: Reading configuration data /etc/ssh/ssh_config
    debug1: Applying options for *
    debug1: Connecting to 192.168.1.6 [192.168.1.6] port 22.
    debug1: connect to address 192.168.1.6 port 22: **Connection refused**
    ssh: connect to host 192.168.1.6 port 22: **Connection refused**





    share|improve this answer




















    • Thanks but this blocks all connectios. Not what I am looking for. If ssh is done with ssh root@remote-site it gets blocked. if ssh user1@remote-site needs to work. The suggested solution blocks all.
      – BitsOfNix
      Oct 2 at 6:03










    • @BitsOfNix "outgoing SSH connection from server" means block the whole connection! To block specific users. You can edit ssh_d config and add any user name you want to block under DenyUsers. Just do sudo vi /etc/ssh/sshd_config, then under DenyUsers add the user name you want to block. Let's say you want to block user mark then add DenyUsers mark. Let me know if this work or not so we can help further ;-)
      – Goro
      Oct 2 at 10:20















    up vote
    4
    down vote













    You have to use iptable, for example:



    Block outgoing ssh connection for 192.168.1.0/24 subnet



     iptables -I OUTPUT -d 192.168.1.0/24 -p tcp --dport 22 -j REJECT


    Then verify



    ssh -v 192.168.1.6
    OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
    debug1: Reading configuration data /etc/ssh/ssh_config
    debug1: Applying options for *
    debug1: Connecting to 192.168.1.6 [192.168.1.6] port 22.
    debug1: connect to address 192.168.1.6 port 22: **Connection refused**
    ssh: connect to host 192.168.1.6 port 22: **Connection refused**





    share|improve this answer




















    • Thanks but this blocks all connectios. Not what I am looking for. If ssh is done with ssh root@remote-site it gets blocked. if ssh user1@remote-site needs to work. The suggested solution blocks all.
      – BitsOfNix
      Oct 2 at 6:03










    • @BitsOfNix "outgoing SSH connection from server" means block the whole connection! To block specific users. You can edit ssh_d config and add any user name you want to block under DenyUsers. Just do sudo vi /etc/ssh/sshd_config, then under DenyUsers add the user name you want to block. Let's say you want to block user mark then add DenyUsers mark. Let me know if this work or not so we can help further ;-)
      – Goro
      Oct 2 at 10:20













    up vote
    4
    down vote










    up vote
    4
    down vote









    You have to use iptable, for example:



    Block outgoing ssh connection for 192.168.1.0/24 subnet



     iptables -I OUTPUT -d 192.168.1.0/24 -p tcp --dport 22 -j REJECT


    Then verify



    ssh -v 192.168.1.6
    OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
    debug1: Reading configuration data /etc/ssh/ssh_config
    debug1: Applying options for *
    debug1: Connecting to 192.168.1.6 [192.168.1.6] port 22.
    debug1: connect to address 192.168.1.6 port 22: **Connection refused**
    ssh: connect to host 192.168.1.6 port 22: **Connection refused**





    share|improve this answer












    You have to use iptable, for example:



    Block outgoing ssh connection for 192.168.1.0/24 subnet



     iptables -I OUTPUT -d 192.168.1.0/24 -p tcp --dport 22 -j REJECT


    Then verify



    ssh -v 192.168.1.6
    OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
    debug1: Reading configuration data /etc/ssh/ssh_config
    debug1: Applying options for *
    debug1: Connecting to 192.168.1.6 [192.168.1.6] port 22.
    debug1: connect to address 192.168.1.6 port 22: **Connection refused**
    ssh: connect to host 192.168.1.6 port 22: **Connection refused**






    share|improve this answer












    share|improve this answer



    share|improve this answer










    answered Oct 1 at 11:58









    Goro

    7,02252965




    7,02252965











    • Thanks but this blocks all connectios. Not what I am looking for. If ssh is done with ssh root@remote-site it gets blocked. if ssh user1@remote-site needs to work. The suggested solution blocks all.
      – BitsOfNix
      Oct 2 at 6:03










    • @BitsOfNix "outgoing SSH connection from server" means block the whole connection! To block specific users. You can edit ssh_d config and add any user name you want to block under DenyUsers. Just do sudo vi /etc/ssh/sshd_config, then under DenyUsers add the user name you want to block. Let's say you want to block user mark then add DenyUsers mark. Let me know if this work or not so we can help further ;-)
      – Goro
      Oct 2 at 10:20

















    • Thanks but this blocks all connectios. Not what I am looking for. If ssh is done with ssh root@remote-site it gets blocked. if ssh user1@remote-site needs to work. The suggested solution blocks all.
      – BitsOfNix
      Oct 2 at 6:03










    • @BitsOfNix "outgoing SSH connection from server" means block the whole connection! To block specific users. You can edit ssh_d config and add any user name you want to block under DenyUsers. Just do sudo vi /etc/ssh/sshd_config, then under DenyUsers add the user name you want to block. Let's say you want to block user mark then add DenyUsers mark. Let me know if this work or not so we can help further ;-)
      – Goro
      Oct 2 at 10:20
















    Thanks but this blocks all connectios. Not what I am looking for. If ssh is done with ssh root@remote-site it gets blocked. if ssh user1@remote-site needs to work. The suggested solution blocks all.
    – BitsOfNix
    Oct 2 at 6:03




    Thanks but this blocks all connectios. Not what I am looking for. If ssh is done with ssh root@remote-site it gets blocked. if ssh user1@remote-site needs to work. The suggested solution blocks all.
    – BitsOfNix
    Oct 2 at 6:03












    @BitsOfNix "outgoing SSH connection from server" means block the whole connection! To block specific users. You can edit ssh_d config and add any user name you want to block under DenyUsers. Just do sudo vi /etc/ssh/sshd_config, then under DenyUsers add the user name you want to block. Let's say you want to block user mark then add DenyUsers mark. Let me know if this work or not so we can help further ;-)
    – Goro
    Oct 2 at 10:20





    @BitsOfNix "outgoing SSH connection from server" means block the whole connection! To block specific users. You can edit ssh_d config and add any user name you want to block under DenyUsers. Just do sudo vi /etc/ssh/sshd_config, then under DenyUsers add the user name you want to block. Let's say you want to block user mark then add DenyUsers mark. Let me know if this work or not so we can help further ;-)
    – Goro
    Oct 2 at 10:20











    up vote
    0
    down vote













    You can always allow outgoing SSH connection with iptables "user" module:



    iptables -A OUTPUT -o eth0 -p tcp --destination-port 22 -m owner --uid-owner USERNAME -j ACCEPT
    iptables -A OUTPUT -o eth0 -p tcp --destination-port 22 -j DROP


    This will block all outgoing ssh connections, but allow USERNAME to perform it.






    share|improve this answer
























      up vote
      0
      down vote













      You can always allow outgoing SSH connection with iptables "user" module:



      iptables -A OUTPUT -o eth0 -p tcp --destination-port 22 -m owner --uid-owner USERNAME -j ACCEPT
      iptables -A OUTPUT -o eth0 -p tcp --destination-port 22 -j DROP


      This will block all outgoing ssh connections, but allow USERNAME to perform it.






      share|improve this answer






















        up vote
        0
        down vote










        up vote
        0
        down vote









        You can always allow outgoing SSH connection with iptables "user" module:



        iptables -A OUTPUT -o eth0 -p tcp --destination-port 22 -m owner --uid-owner USERNAME -j ACCEPT
        iptables -A OUTPUT -o eth0 -p tcp --destination-port 22 -j DROP


        This will block all outgoing ssh connections, but allow USERNAME to perform it.






        share|improve this answer












        You can always allow outgoing SSH connection with iptables "user" module:



        iptables -A OUTPUT -o eth0 -p tcp --destination-port 22 -m owner --uid-owner USERNAME -j ACCEPT
        iptables -A OUTPUT -o eth0 -p tcp --destination-port 22 -j DROP


        This will block all outgoing ssh connections, but allow USERNAME to perform it.







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Oct 2 at 8:37









        Alexander

        86413




        86413



























             

            draft saved


            draft discarded















































             


            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f472554%2fblock-outgoing-ssh-connection-from-server%23new-answer', 'question_page');

            );

            Post as a guest













































































            Popular posts from this blog

            How to check contact read email or not when send email to Individual?

            Displaying single band from multi-band raster using QGIS

            How many registers does an x86_64 CPU actually have?