Restrict access to specific users. - UNIX for Advanced & Expert Users

nua7 · #1 08-20-2008

Hi All!
I would like to know if there is any specific way by which I can restrict access to apecific users (ip addresses).

OS : Red hat linux

Thanks!
nua7

Annihilannic · #2 08-21-2008

Depending on the type of access, you can use "TCP wrappers" or "iptables". Do a search for them to find out about them... some services have built-in facilities for controlling access by IP address; if you tell us which type of access you are trying to restrict we may be able to help further.

broli · #3 08-21-2008

are you refering to deny ssh login ?
in redhat you have pam for that.
you can also simple ban the hole ip (in all ports and services) by adding them to /etc/host.deny (might be /etc/hosts.deny

ynilesh · #4 08-21-2008

Instead of predicting things, its better if you provide what type of restriction are you looking for ?

- nilesh

nua7 · #5 08-21-2008

Hi All,
I am sorry for not giving all the information. But here is my actual need. I would be having Oracle database on a Red hat Linux server which would listen to Port 1521(Default port for oracle).

I need to restrict users to this Port.I thought two solutions for this using iptables.

Solution 1 : Set the firewall with iptables rules, to allow ip addresses of a particular subnet to access the Oracle port.Using this rule only machines on the DBserver's subnet are able to communicate with it on Port 1521.

Code:

iptables -A INPUT -i eth0 -p tcp --dport 1521 -s ! <subnet mask value>

Solution 2:
Have a list of all valid IP's in a file and set a rule in the iptable to allow access to those IP addreesses only.

Code:

iptables -P FORWARD DROP 
for mac in $(cat ipaddressfile); do 
iptables -A FORWARD -m mac --mac-source $mac -j ACCEPT 
done

Please let me know if I am on the right track or if something else needs to be done.Also kindly let me know , which solution would work better looking at the security point of view.

Thanks!
nua7

Annihilannic · #6 08-25-2008

It seems to me like the first option would be a lot easier to maintain over time. I can't really comment on the security point of view because it depends on the sensitivity of your data and the security of the network the system is on. There should be security built-in to the database access anyway, so hopefully anything you are donig here is going above and beyond the call of duty anyway?

nua7 · #7 08-26-2008

Hi!
Finally it has been decided that specfic ip addresses should be allowed to access the database port. Solution 2 which is in my previous post.

Please let me know if you have any suggestions in the solution 2 I mentioned.

More UNIX and Linux Forum Topics You Might Find Helpful
Thread	Thread Starter	Forum	Replies	Last Post
Restrict user access to their home dir	rdns	UNIX for Dummies Questions & Answers	10	05-26-2008 07:28 AM
restrict access of a user to two directories only	vikas027	Linux	10	05-03-2008 07:26 AM
Restrict users to certain functions	lweegp	UNIX for Dummies Questions & Answers	12	11-13-2006 07:03 PM
restrict tcp-port access	remivisser	UNIX for Dummies Questions & Answers	2	05-18-2004 01:33 AM

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode