Q.
In how many ways, you can restrict a user to accesss a linux system ?
In how many ways, you can restrict an IP to accesss a linux system ?
Solution:
1. Using IPtables
2. Using TCPwrapper
3. SSH conf file
4. /etc/security/access.conf file
1. Using IPtables:
# iptables -I INPUT -s 192.168.1.100 -p tcp --dport ssh -j REJECT
# service iptables save
Error while accessing:
ssh: connect to host 192.168.1.150 port 22: Connection refused
2. Using TCPwrapper:
/etc/hosts.allow
/etc/hosts.deny
# vim /etc/hosts.deny
##### To block SSH Access #####
sshd: 192.168.1.100
sshd: 192.168.1.0/255.255.255.0
Error while accessing:
ssh_exchange_identification: read: Connection reset by peer
or
# vim /etc/hosts.deny
sshd : localhost : allow
sshd : 192.168.0. : allow
sshd : 99.151.250.7 : allow
sshd : mydomain.net : allow
sshd : ALL : deny
Note:
/etc/hosts.deny is checked before /etc/hosts.allow, so you can go
example:
* hosts.deny
ALL : ALL
first, we block everything from everyone,
* hosts.allow
ALL : localhost
sshd: 192.168.0.22
proftpd: 192.168.0.22
which means only 192.168.0.22 on your local network
can access ssh or the proftp server on that machine.
3. SSH conf file:
Case 1: Limit all SSH users to access from specific IP , here from network 99.19.19.0/24:
At the bottom of the same file /etc/ssh/sshd_config I add:
AllowUsers *@99.19.19.*
Case 2: Limit some users to access from specific IPs but allow others from Any.
# vim /etc/ssh/sshd_config
AllowUsers admin@123.123.123.10 admin@10.88.88.* yurisk
This way the user admin can only connect from either 123.123.123.123 or 10.88.88.0/24 and yurisk can connect from anywhere.
Deny SSH Access to a user or group:
# vim /etc/ssh/sshd_config
DenyUsers sk ostechnix
DenyGroups root
URL:
https://www.ostechnix.com/allow-deny-ssh-access-particular-user-group-linux/
4. /etc/security/access.conf file
URL:
https://linuxconfig.org/how-to-restrict-users-access-on-a-linux-machine
Q. How to disable local login and enable remote login for users in Red Hat Enterprise Linux ?
URL: https://access.redhat.com/solutions/869443
Solution:
RHEL-5/6:
Step 1: Add following entry in /etc/security/access.conf file in order to restrict console based access to user/groups using pam_access.so module:
To restrict access to all users except root user, add/modify as below:
# vim /etc/security/access.conf
-:ALL EXCEPT root:tty1 tty2 tty3 tty4 tty5 tty6 LOCAL
OR
Access can be restricted for particular user:
# vim /etc/security/access.conf
-:user:tty1 tty2 tty3 tty4 tty5 tty6 LOCAL
OR
Access can be restricted for group containing multiple users:
# vim /etc/security/access.conf
-:group:tty1 tty2 tty3 tty4 tty5 tty6 LOCAL
Step 2: Configure PAM stack to use pam_access.so module for restricting access based upon the restrictions defined in /etc/security/access.conf file.
# vim /etc/pam.d/system-auth
account required pam_access.so <---- Add this line in account section
account required pam_unix.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
Step 3: Configure sshd service to use PAM by adding/modifying parameter UsePAM in /etc/ssh/sshd_config file:
# vim /etc/ssh/sshd_config
UsePAM yes
NOTE: In case Red Hat Enterprise Linux 6, add following line in account section of both /etc/pam.d/system-auth and /etc/pam.d/password-auth files:
account required pam_access.so
----------------------------------------------------
Access.conf file usage:
URL: https://linuxconfig.org/how-to-restrict-users-access-on-a-linux-machine
Setup access rules in /etc/security/access.conf
Insert the pam_access.so module:
Before setting up our rules, we need to modify /etc/pam.d/login, to add the pam_access.so module which will allow pam to scan the access.conf file for the rules we will define.
Add below line in account section:
# vim /etc/pam.d/login
account required pam_access.so
Now setup rules in access.conf file:
# vim /etc/security/access.conf
permission : users : origins
If you want to disable the password authentication only for one user you have two options. The first is to configure the “PasswordAuthentication no” parameter in the /etc/ssh/sshd_config inside a “Match directive” to apply it only for a specific user, a list of users or a group.
The following Lines need to be added to the /etc/ssh/sshd_config to disable password login for one or more users. In the example below you can see a list of users provided in the Match directive:
Match User username1,username2,username3
PasswordAuthentication no
If you need to disable password authentication for a group of users, the Match directive allows the following syntax to do this:
Match Group usergroup
PasswordAuthentication no
In how many ways, you can restrict a user to accesss a linux system ?
In how many ways, you can restrict an IP to accesss a linux system ?
Solution:
1. Using IPtables
2. Using TCPwrapper
3. SSH conf file
4. /etc/security/access.conf file
1. Using IPtables:
# iptables -I INPUT -s 192.168.1.100 -p tcp --dport ssh -j REJECT
# service iptables save
Error while accessing:
ssh: connect to host 192.168.1.150 port 22: Connection refused
2. Using TCPwrapper:
/etc/hosts.allow
/etc/hosts.deny
# vim /etc/hosts.deny
##### To block SSH Access #####
sshd: 192.168.1.100
sshd: 192.168.1.0/255.255.255.0
Error while accessing:
ssh_exchange_identification: read: Connection reset by peer
or
# vim /etc/hosts.deny
sshd : localhost : allow
sshd : 192.168.0. : allow
sshd : 99.151.250.7 : allow
sshd : mydomain.net : allow
sshd : ALL : deny
Note:
/etc/hosts.deny is checked before /etc/hosts.allow, so you can go
example:
* hosts.deny
ALL : ALL
first, we block everything from everyone,
* hosts.allow
ALL : localhost
sshd: 192.168.0.22
proftpd: 192.168.0.22
which means only 192.168.0.22 on your local network
can access ssh or the proftp server on that machine.
3. SSH conf file:
Case 1: Limit all SSH users to access from specific IP , here from network 99.19.19.0/24:
At the bottom of the same file /etc/ssh/sshd_config I add:
AllowUsers *@99.19.19.*
Case 2: Limit some users to access from specific IPs but allow others from Any.
# vim /etc/ssh/sshd_config
AllowUsers admin@123.123.123.10 admin@10.88.88.* yurisk
This way the user admin can only connect from either 123.123.123.123 or 10.88.88.0/24 and yurisk can connect from anywhere.
Deny SSH Access to a user or group:
# vim /etc/ssh/sshd_config
DenyUsers sk ostechnix
DenyGroups root
URL:
https://www.ostechnix.com/allow-deny-ssh-access-particular-user-group-linux/
4. /etc/security/access.conf file
URL:
https://linuxconfig.org/how-to-restrict-users-access-on-a-linux-machine
Q. How to disable local login and enable remote login for users in Red Hat Enterprise Linux ?
URL: https://access.redhat.com/solutions/869443
Solution:
RHEL-5/6:
Step 1: Add following entry in /etc/security/access.conf file in order to restrict console based access to user/groups using pam_access.so module:
To restrict access to all users except root user, add/modify as below:
# vim /etc/security/access.conf
-:ALL EXCEPT root:tty1 tty2 tty3 tty4 tty5 tty6 LOCAL
OR
Access can be restricted for particular user:
# vim /etc/security/access.conf
-:user:tty1 tty2 tty3 tty4 tty5 tty6 LOCAL
OR
Access can be restricted for group containing multiple users:
# vim /etc/security/access.conf
-:group:tty1 tty2 tty3 tty4 tty5 tty6 LOCAL
Step 2: Configure PAM stack to use pam_access.so module for restricting access based upon the restrictions defined in /etc/security/access.conf file.
# vim /etc/pam.d/system-auth
account required pam_access.so <---- Add this line in account section
account required pam_unix.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
Step 3: Configure sshd service to use PAM by adding/modifying parameter UsePAM in /etc/ssh/sshd_config file:
# vim /etc/ssh/sshd_config
UsePAM yes
NOTE: In case Red Hat Enterprise Linux 6, add following line in account section of both /etc/pam.d/system-auth and /etc/pam.d/password-auth files:
account required pam_access.so
----------------------------------------------------
Access.conf file usage:
URL: https://linuxconfig.org/how-to-restrict-users-access-on-a-linux-machine
Setup access rules in /etc/security/access.conf
Insert the pam_access.so module:
Before setting up our rules, we need to modify /etc/pam.d/login, to add the pam_access.so module which will allow pam to scan the access.conf file for the rules we will define.
Add below line in account section:
# vim /etc/pam.d/login
account required pam_access.so
Now setup rules in access.conf file:
# vim /etc/security/access.conf
permission : users : origins
If you want to disable the password authentication only for one user you have two options. The first is to configure the “PasswordAuthentication no” parameter in the /etc/ssh/sshd_config inside a “Match directive” to apply it only for a specific user, a list of users or a group.
The following Lines need to be added to the /etc/ssh/sshd_config to disable password login for one or more users. In the example below you can see a list of users provided in the Match directive:
Match User username1,username2,username3
PasswordAuthentication no
If you need to disable password authentication for a group of users, the Match directive allows the following syntax to do this:
Match Group usergroup
PasswordAuthentication no
Hey, its really useful blog..Thanks for sharing.
ReplyDelete