FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 04-04-2012, 01:38 PM
Tris Hoar
 
Default Block outgoing connections for certaing uids (root, apache, nobody)

On 04/04/2012 10:21, Tony Mountifield wrote:
> In article<CAADeyWhP3MjsPc-MO7aeWzsxsq9pHiBPHO2iU3bo8i0ttJiLcw@mail.gmail.com >,
> Alexander Farber<alexander.farber@gmail.com> wrote:
>> Good morning
>>
>> With iptables in CentOS 5 and 6 Linux - how can you please
>> prevent processes running as "root", "apache" or "nobody"
>> from initiating outgoing connections?
>>
>> On CentOS 5 Linux I've tried putting these lines into /etc/sysconfig/iptables:
>>
>> -A OUTPUT -m owner --uid-owner root -j DROP
>> -A OUTPUT -m owner --uid-owner apache -j DROP
>> -A OUTPUT -m owner --uid-owner nobody -j DROP
>>
>> but unfortunately get the error:
>>
>> # sudo service iptables restart
>> iptables: Flushing firewall rules: [ OK ]
>> iptables: Setting chains to policy ACCEPT: filter [ OK ]
>> iptables: Unloading modules: [ OK ]
>> iptables: Applying firewall rules: iptables-restore v1.4.7: owner: Bad
>> value for "--uid-owner" option: "apache"
>> Error occurred at line: 27
>> Try `iptables-restore -h' or 'iptables-restore --help' for more information.
>> [FAILED]
>
> Perhaps it doesn't do a username lookup and only understands numeric userids?
> Try:
>
> -A OUTPUT -m owner --uid-owner 0 -j DROP
> -A OUTPUT -m owner --uid-owner 48 -j DROP
> -A OUTPUT -m owner --uid-owner 99 -j DROP
>
> (I think those values are standard on CentOS)
>
> Bear in mind that preventing root connections would stop you doing any
> kind of updating using yum, unless you have a previous rule allowing http.
>
> Cheers
> Tony

This would also stop the server being able to use DNS, and would likely
break other things. I'd be wary of stopping root talking out of the network.

Tris

************************************************** ***********
This email and any files transmitted with it are confidential
and intended solely for the use of the individual or entity
to whom they are addressed. If you have received this email
in error please notify postmaster@bgfl.org

The views expressed within this email are those of the
individual, and not necessarily those of the organisation
************************************************** ***********

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 04-04-2012, 04:40 PM
Alexander Farber
 
Default Block outgoing connections for certaing uids (root, apache, nobody)

Yep, I've locked out myself out of the dedicated server today.

The numeric uids work, thank you.
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 04-05-2012, 01:21 PM
Daniel J Walsh
 
Default Block outgoing connections for certaing uids (root, apache, nobody)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/04/2012 10:15 AM, Lamar Owen wrote:
> On Wednesday, April 04, 2012 05:13:11 AM Alexander Farber wrote:
>> Good morning
>>
>> With iptables in CentOS 5 and 6 Linux - how can you please prevent
>> processes running as "root", "apache" or "nobody" from initiating
>> outgoing connections?
>
> This sounds more like something an SELinux rule could do better, and on a
> per-process basis.
>
> Now, I don't have such a rule or policy file written, but I think for this
> purpose SELinux is the right tool to try to use. You might have to go from
> the rather lenient 'targeted' policy to the rather difficult to use
> 'strict' policy to make it happen, though.
>
> Dan Walsh is on here, and he's the expert, so maybe he'll weigh in.
> _______________________________________________ CentOS mailing list
> CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Very difficult to do, especially if you are talking about administrators
running as root. If you want to allow everything except connection to the
network, you will not stop a determined admin. Now we can block the apache
process from connecting to the network. If you want to run confined admins
we can also control them, but it is not easy.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk99nE0ACgkQrlYvE4MpobPNlwCgr/zQEe0pvM96wRwdCdda+d6S
rOsAoN242buO0dwqEw5p7ZxTr5UY/Kgm
=6w7I
-----END PGP SIGNATURE-----
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 07:32 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org