On Fri, 21 Aug 2009 16:55 +0200, "Paul de Weerd" <we...@weirdnet.nl> wrote: > On Fri, Aug 21, 2009 at 10:34:05PM +0800, Uwe Dippel wrote: > > Now I am pretty sure that this is what we see here. > > It also makes sense, since all those users sit on a tightly controlled > > LAN; while that machine is 'further out'. So that restricted services > > can be accessed through some tunneling. > > Now: How to prevent it?? I have hundreds of users, who can log on from > > hundreds of machines, and all need access to ssh, and easily 30 at the > > same time. > > So, filtering IP addresses is out, nologin is out, no ssh is out. > > Of course, I can politely ask, but I would not necessarily trust it to > > be followed. I'd much rather disallow it technically. At least, have an > > easy access to the record (e.g. in 'last'). But since it doesn't require > > logon, what to do? And how to prevent this?? > > > > Any suggestion appreciated, > > After you've confirmed that they do this for TCP forwarding use, and > you're convinced that this is what you want to prevent, simply edit > sshd_config(5), set AllowTcpForwarding to No and restart the master > sshd(8).
You can also approach management to create a business policy to prevent this. Make this policy well known and then fire anyone that breaks it. This will discourage anyone from coming up with some 'creative' way in the future of circumventing your technical solution. This would be the standard business model, ymmv. :)
