Another method to manage users and groups from given ips/subnets (not just
any user from a given IP or subnet) is to use PAM's access.conf
(pam_access.so, found defined in the /etc/pam.d directory, with the config
file usually in /etc/security/access.conf) to augment the firewall ruleset.
It needs to be enabled (rhel systems have an option to enable it at install
with benign commented-out access.conf file from which to start with (ubuntu
also appears to be enabled by default, but have the rules in access.conf
commented out).
*A word of warning though* - this doesn't just control access from the
network, but also from the console (local) including tty's (non-graphical)
and pts/* devices (graphical shells). Locking out yourself in part of in
full, and everyone else out, with a bad configuration is definitely possible
(trust me I know ;-) ).
The payoff however, in learning and using this method, is a finer grained
control over who has login access and from where a given user or group of
users have access.
Its a part of PAM authentication, and to get started you can search for
pam_access or PAM access.conf, plus your distribution of choice. Just be
sure you configure and understand the rules you've set in the access.conf
file before locking down the final rule "- : ALL : ALL" . I suggest Testing
rules on a virtual machine with a snapshot made prior to applying changes,
or to have a live CD boot disk handy with physical access to the system.
Cheers,
Ben
On Thu, May 12, 2011 at 11:31 AM, keith smith <
klsmith2020@yahoo.com> wrote:
>
> Interesting thought! Thank you Joseph!
>
> ------------------------
> Keith Smith
>
> --- On *Wed, 5/11/11, Joseph Sinclair <plug-discussion@stcaz.net>* wrote:
>
>
> From: Joseph Sinclair <plug-discussion@stcaz.net>
>
> Subject: Re: IPTables on LAMP server in data center
> To: "Main PLUG discussion list" <plug-discuss@lists.plug.phoenix.az.us>
> Date: Wednesday, May 11, 2011, 10:42 PM
>
>
> You could also use tcp wrappers for this, and that's a bit faster, not to
> mention simpler.
> Note: this setup will end up locking out all communication not specifically
> listed in hosts.allow; so make sure hosts.allow is correct before modifying
> hosts.deny.
>
> It's best to enable something like telnet temporarily while working on the
> SSH controls, just in case you lock yourself out.
>
> In hosts.allow:
> sshd:ip.ad.dr.ess/NN (local net, ip address + netmask in CIDR notation)
> sshd:ip.ad.dr.ess (specific internet host, repeat as needed)
> httpd: ALL
>
> In hosts.deny:
> ALL: ALL
>
>
> On 05/11/2011 07:52 PM, Richard Wilson wrote:
> > Keith,
> >
> > What you have is fine and will work, but here's something that will make
> it faster and more maintainable:
> >
> > # Create an SSH Access Table
> > iptables -N SSHACS
> >
> > Right before your "#Data center Local network" line, put:
> >
> > # Handle SSH Traffic
> > iptables -A INPUT -p tcp --dport 22 -j SSHACS
> >
> > Then for each IP you want to grant SSH Access to:
> > iptables -A SSHACS -s ip.ad.re.ss/mask -j ACCEPT
> >
> > This is faster because it won't got through each rule for non-SSH
> traffic. Splitting similar rules like this can be a big help in complex
> rule sets.
> >
> > HTH,
> >
> > Richard Wilson
> > ---------------------------------------------------------------
> > On 05/11/2011 07:24 PM, keith smith wrote:
> >>
> >> Hi,
> >>
> >> I'm rather new to IPTables. I've written a shell script to update and
> save the IPTables on a web server that only has HTTPD, SSL, Secured FTP, and
> SSH available.
> >>
> >> I need to be able to access the server via SSH and SFTP and want to only
> allow the data center's local net and only those, by IP, that I allow to
> access the box over the Internet. Port 80 and 443 should be open to
> everyone.
> >>
> >> I'm hoping someone or a couple of people can look at what I have written
> and give me some feedback. I've already locked myself out of one server so
> I would like to avoid that again.
> >>
> >> Thanks in advance for your help!
> >>
> >> - - - - - - -
> >>
> >> #!/bin/bash
> >> #
> >> # iptables configuration for xxxxxxxxxxx
> >> #------
> >> # Flush all current rules from iptables
> >> iptables -F
> >>
> >> # Drop all forwarded packets
> >> iptables -P FORWARD DROP
> >>
> >> # Set access for localhost
> >> iptables -A INPUT -i lo -j ACCEPT
> >>
> >> # Port 80 for everyone
> >> iptables -A INPUT -p tcp --dport 80 -j ACCEPT
> >>
> >> # Port 443 for everyone
> >> iptables -A INPUT -p tcp --dport 443 -j ACCEPT
> >>
> >> # No SMTP/POP/MySql/Named ... ETC
> >>
> >> # Accept packets belonging to established and related connections
> >> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> >>
> >>
> #---------------------------------------------------------------------------------------------
> >> # Allow SSH/FTP connections on tcp port 22 for only those we want to FTP
> or SSH into the box
> >>
> #---------------------------------------------------------------------------------------------
> >>
> >> #Data center Local network
> >> iptables -A INPUT -p tcp -s 192.168.100.0/28 --dport 22 -j ACCEPT
> >>
> >> #User 1
> >> iptables -A INPUT -p tcp -s 999.999.999.999 --dport 22 -j ACCEPT
> >>
> >> #user 2
> >> iptables -A INPUT -p tcp -s 999.999.999.999 --dport 22 -j ACCEPT
> >>
> >> #user 3
> >> iptables -A INPUT -p tcp -s 999.999.999.999 --dport 22 -j ACCEPT
> >>
> >>
> #---------------------------------------------------------------------------------
> >> # - - - - Add additional consultants here and run script again - - - -
> -
> >>
> #---------------------------------------------------------------------------------
> >>
> >> # Data Center Staff from outside
> >> iptables -A INPUT -p tcp -s 999.999.999.999 --dport 22 -j ACCEPT
> >>
> >>
> #-----------------------------------------------------------------------------
> >> # - - - - Add additional Data Center staff here and run script again -
> - - - -
> >>
> #-----------------------------------------------------------------------------
> >>
> >>
> >> # Allow all outbound traffic
> >> iptables -P OUTPUT ACCEPT
> >>
> >> # Drop everything else
> >> iptables -P INPUT DROP
> >>
> >>
> >> # Save settings
> >> /sbin/service iptables save
> >>
> >> # List rules
> >> iptables -L -v
> >>
> >>
> >> ------------------------
> >> Keith Smith
> >>
> >>
> >> ---------------------------------------------------
> >> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us<http://mc/compose?to=PLUG-discuss@lists.plug.phoenix.az.us>
> >> To subscribe, unsubscribe, or to change your mail settings:
> >> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> >
> >
> >
> >
> > ---------------------------------------------------
> > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us<http://mc/compose?to=PLUG-discuss@lists.plug.phoenix.az.us>
> > To subscribe, unsubscribe, or to change your mail settings:
> > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
>
> -----Inline Attachment Follows-----
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us<http://mc/compose?to=PLUG-discuss@lists.plug.phoenix.az.us>
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
---------------------------------------------------
PLUG-discuss mailing list -
PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss