Log in

No account? Create an account
Disable outbound ssh - Linux Help Desk [entries|archive|friends|userinfo]

[ userinfo | livejournal userinfo ]
[ archive | journal archive ]

Disable outbound ssh [Dec. 8th, 2009|06:17 pm]


I've googled for a couple hours.. is there not a way to disable outbound ssh?

[User Picture]From: jhf
2009-12-09 03:57 am (UTC)
iptables -A OUTPUT -p tcp --dport 22 -j DROP

... will block all connections to port 22, where most sshd's live.

Edited at 2009-12-09 03:57 am (UTC)
(Reply) (Thread)
[User Picture]From: zastrazzi
2009-12-09 04:25 am (UTC)
Change the permissions of the binary?

chmod go-rwx /usr/bin/ssh

That will essentially prevent anyone who isn't root from using it. The iptables suggestion is good as well, but wouldn't address anyone trying to ssh to a non-standard port.
(Reply) (Thread)
[User Picture]From: mindkeep
2009-12-09 02:44 pm (UTC)
However this solution only blocks the use of /usr/bin/ssh. A user could have a local copy of the ssh binary and use that.
(Reply) (Parent) (Thread)
[User Picture]From: green_ogre
2009-12-09 05:22 pm (UTC)
If you have a firewall between you and the world, outbound access to port 22.

If not, then the iptables command in the first line will stop basic attempts of using ssh.

In the end though, it is almost impossible to stop.

I have a personal webserver and my work blocks almost all outbound ports.

So I changed the sshd to run on port 21 and thus it works. Since my work doesn't block standard FTP servers.

IF you need to look things down, then I would disallow internet access completely.

If it is you want to make it very difficult to get around things, then force all your outbound traffic through a proxy server and olny allow the proxy server to talk outside.

I wouldn't guarantee someone couldn't get around that.

But any less than that and any of your more computer savy users can breach the security.

Good Luck.
(Reply) (Thread)
[User Picture]From: simoncion
2009-12-11 02:41 am (UTC)
The best that you can do is to either block outbound connections to port 22, or do drop some DPI gear that drops outbound SSH packets.

Why do you want to do this, anyway?
(Reply) (Thread)