Prevent SCP from transferring file out from remote server to local host

-1

I have a use case where I need to be able to prevent scp from transferring files "out" from a remote server to the local computer.

Limitations:

SSH has to be allowed

Local laptop should be able to use SCP to upload a file to the remote server

Remote server must be able to upload a file to other remote servers in its IP range/VPC

No remote server should let local laptop "download" a file via SCP

I not found any useful flags or firewall rules.

Example:

local laptop should transfer file abcd to remote server 1.2.3.4

local laptop should not be able to download file abcd from 1.2.3.4

1.2.3.4 should be able to transfer abcd to 1.2.3.5

edited Jan 12 at 19:20

roaima

43.8k555118

asked Jan 11 at 7:45

n00blinux

2

I think your you should reconsider your requirements. Using ssh is downloading information, otherwise your local terminal could not show anything. Whatever you do it won't be secure by any means, just more complicated to download files.

– RoVo
Jan 11 at 8:43

I don't believe this will be possible without a huge amount of work. You can limit SSH down to SCP only (RoVo is wrong on that point). But SCP isn't really designed with this use case in mind. You would have to replace the scp subsystem with a custom version.

– couling
Jan 11 at 8:57

3

Using this answer, you can prohibit the get command. But if you allow ssh, you can't prevent ssh server "cat file" > localfile

– Mark Plotnick
Jan 11 at 9:15

"SSH has to be allowed" is that out from the remote server? Or from clients to the server itself? Or both?

– roaima
Jan 12 at 19:21

add a comment |

-1

I have a use case where I need to be able to prevent scp from transferring files "out" from a remote server to the local computer.

Limitations:

SSH has to be allowed

Local laptop should be able to use SCP to upload a file to the remote server

Remote server must be able to upload a file to other remote servers in its IP range/VPC

No remote server should let local laptop "download" a file via SCP

I not found any useful flags or firewall rules.

Example:

local laptop should transfer file abcd to remote server 1.2.3.4

local laptop should not be able to download file abcd from 1.2.3.4

1.2.3.4 should be able to transfer abcd to 1.2.3.5

edited Jan 12 at 19:20

roaima

43.8k555118

asked Jan 11 at 7:45

n00blinux

2

I think your you should reconsider your requirements. Using ssh is downloading information, otherwise your local terminal could not show anything. Whatever you do it won't be secure by any means, just more complicated to download files.

– RoVo
Jan 11 at 8:43

I don't believe this will be possible without a huge amount of work. You can limit SSH down to SCP only (RoVo is wrong on that point). But SCP isn't really designed with this use case in mind. You would have to replace the scp subsystem with a custom version.

– couling
Jan 11 at 8:57

3

Using this answer, you can prohibit the get command. But if you allow ssh, you can't prevent ssh server "cat file" > localfile

– Mark Plotnick
Jan 11 at 9:15

"SSH has to be allowed" is that out from the remote server? Or from clients to the server itself? Or both?

– roaima
Jan 12 at 19:21

add a comment |

-1

I have a use case where I need to be able to prevent scp from transferring files "out" from a remote server to the local computer.

Limitations:

SSH has to be allowed

Local laptop should be able to use SCP to upload a file to the remote server

Remote server must be able to upload a file to other remote servers in its IP range/VPC

No remote server should let local laptop "download" a file via SCP

I not found any useful flags or firewall rules.

Example:

local laptop should transfer file abcd to remote server 1.2.3.4

local laptop should not be able to download file abcd from 1.2.3.4

1.2.3.4 should be able to transfer abcd to 1.2.3.5

edited Jan 12 at 19:20

roaima

43.8k555118

asked Jan 11 at 7:45

n00blinux

I have a use case where I need to be able to prevent scp from transferring files "out" from a remote server to the local computer.

Limitations:

SSH has to be allowed

Local laptop should be able to use SCP to upload a file to the remote server

Remote server must be able to upload a file to other remote servers in its IP range/VPC

No remote server should let local laptop "download" a file via SCP

I not found any useful flags or firewall rules.

Example:

local laptop should transfer file abcd to remote server 1.2.3.4

local laptop should not be able to download file abcd from 1.2.3.4

1.2.3.4 should be able to transfer abcd to 1.2.3.5

linux ubuntu scp

edited Jan 12 at 19:20

roaima

43.8k555118

asked Jan 11 at 7:45

n00blinux

edited Jan 12 at 19:20

roaima

43.8k555118

asked Jan 11 at 7:45

n00blinux

edited Jan 12 at 19:20

roaima

43.8k555118

edited Jan 12 at 19:20

roaima

43.8k555118

edited Jan 12 at 19:20

roaima

43.8k555118

asked Jan 11 at 7:45

n00blinux

asked Jan 11 at 7:45

n00blinux

asked Jan 11 at 7:45

n00blinux

2

I think your you should reconsider your requirements. Using ssh is downloading information, otherwise your local terminal could not show anything. Whatever you do it won't be secure by any means, just more complicated to download files.

– RoVo
Jan 11 at 8:43

I don't believe this will be possible without a huge amount of work. You can limit SSH down to SCP only (RoVo is wrong on that point). But SCP isn't really designed with this use case in mind. You would have to replace the scp subsystem with a custom version.

– couling
Jan 11 at 8:57

3

Using this answer, you can prohibit the get command. But if you allow ssh, you can't prevent ssh server "cat file" > localfile

– Mark Plotnick
Jan 11 at 9:15

"SSH has to be allowed" is that out from the remote server? Or from clients to the server itself? Or both?

– roaima
Jan 12 at 19:21

add a comment |

2

I think your you should reconsider your requirements. Using ssh is downloading information, otherwise your local terminal could not show anything. Whatever you do it won't be secure by any means, just more complicated to download files.

– RoVo
Jan 11 at 8:43

I don't believe this will be possible without a huge amount of work. You can limit SSH down to SCP only (RoVo is wrong on that point). But SCP isn't really designed with this use case in mind. You would have to replace the scp subsystem with a custom version.

– couling
Jan 11 at 8:57

3

Using this answer, you can prohibit the get command. But if you allow ssh, you can't prevent ssh server "cat file" > localfile

– Mark Plotnick
Jan 11 at 9:15

"SSH has to be allowed" is that out from the remote server? Or from clients to the server itself? Or both?

– roaima
Jan 12 at 19:21

I think your you should reconsider your requirements. Using ssh is downloading information, otherwise your local terminal could not show anything. Whatever you do it won't be secure by any means, just more complicated to download files.

– RoVo
Jan 11 at 8:43

I don't believe this will be possible without a huge amount of work. You can limit SSH down to SCP only (RoVo is wrong on that point). But SCP isn't really designed with this use case in mind. You would have to replace the scp subsystem with a custom version.

– couling
Jan 11 at 8:57

Using this answer, you can prohibit the get command. But if you allow ssh, you can't prevent ssh server "cat file" > localfile

– Mark Plotnick
Jan 11 at 9:15

"SSH has to be allowed" is that out from the remote server? Or from clients to the server itself? Or both?

– roaima
Jan 12 at 19:21

add a comment |

0

active

oldest

votes

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);

);

draft saved

draft discarded

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f493884%2fprevent-scp-from-transferring-file-out-from-remote-server-to-local-host%23new-answer', 'question_page');

);

Post as a guest

Name

Required, but never shown

0

active

oldest

votes

0

active

oldest

votes

draft saved

draft discarded

Thanks for contributing an answer to Unix & Linux Stack Exchange!

Please be sure to answer the question. Provide details and share your research!

But avoid …

Asking for help, clarification, or responding to other answers.

Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.

draft saved

draft discarded

Post as a guest

Name

Required, but never shown

Name

Required, but never shown

Name

Required, but never shown

搜尋此網誌

mjhjmtu