On Fri, Aug 21, 2009 at 10:34:05PM +0800, Uwe Dippel wrote:
> Now I am pretty sure that this is what we see here.
> It also makes sense, since all those users sit on a tightly controlled
> LAN; while that machine is 'further out'. So that restricted services
> can be accessed through some tunneling.
> Now: How to prevent it?? I have hundreds of users, who can log on from
> hundreds of machines, and all need access to ssh, and easily 30 at the
> same time.
> So, filtering IP addresses is out, nologin is out, no ssh is out.
> Of course, I can politely ask, but I would not necessarily trust it to
> be followed. I'd much rather disallow it technically. At least, have an
> easy access to the record (e.g. in 'last'). But since it doesn't require
> logon, what to do? And how to prevent this??
>
> Any suggestion appreciated,
After you've confirmed that they do this for TCP forwarding use, and
you're convinced that this is what you want to prevent, simply edit
sshd_config(5), set AllowTcpForwarding to No and restart the master
sshd(8).
Cheers,
Paul 'WEiRD' de Weerd
--
>++++++++[<++++++++++>-]<+++++++.>+++[<------>-]<.>+++[<+
+++++++++++>-]<.>++[<------------>-]<+.--------------.[-]
http://www.weirdnet.nl/
