|Disable outbound ssh
||[Dec. 8th, 2009|06:17 pm]
I've googled for a couple hours.. is there not a way to disable outbound ssh?|
2009-12-09 03:57 am (UTC)
iptables -A OUTPUT -p tcp --dport 22 -j DROP
... will block all connections to port 22, where most sshd's live.
Edited at 2009-12-09 03:57 am (UTC)
Change the permissions of the binary?
chmod go-rwx /usr/bin/ssh
That will essentially prevent anyone who isn't root from using it. The iptables suggestion is good as well, but wouldn't address anyone trying to ssh to a non-standard port.
However this solution only blocks the use of /usr/bin/ssh. A user could have a local copy of the ssh binary and use that.
If you have a firewall between you and the world, outbound access to port 22.
If not, then the iptables command in the first line will stop basic attempts of using ssh.
In the end though, it is almost impossible to stop.
I have a personal webserver and my work blocks almost all outbound ports.
So I changed the sshd to run on port 21 and thus it works. Since my work doesn't block standard FTP servers.
IF you need to look things down, then I would disallow internet access completely.
If it is you want to make it very difficult to get around things, then force all your outbound traffic through a proxy server and olny allow the proxy server to talk outside.
I wouldn't guarantee someone couldn't get around that.
But any less than that and any of your more computer savy users can breach the security.
The best that you can do is to either block outbound connections to port 22, or do drop some DPI gear that drops outbound SSH packets.
Why do you want to do this, anyway?