Restrict access to specific users.

nua7 · August 21, 2008, 2:07am

Hi All!
I would like to know if there is any specific way by which I can restrict access to apecific users (ip addresses).

OS : Red hat linux

Thanks!
nua7

Annihilannic · August 21, 2008, 3:20am

Depending on the type of access, you can use "TCP wrappers" or "iptables". Do a search for them to find out about them... some services have built-in facilities for controlling access by IP address; if you tell us which type of access you are trying to restrict we may be able to help further.

broli · August 21, 2008, 9:06am

are you refering to deny ssh login ?
in redhat you have pam for that.
you can also simple ban the hole ip (in all ports and services) by adding them to /etc/host.deny (might be /etc/hosts.deny

ynilesh · August 21, 2008, 10:34am

Instead of predicting things, its better if you provide what type of restriction are you looking for ?

nilesh

nua7 · August 22, 2008, 1:38am

Hi All,
I am sorry for not giving all the information. But here is my actual need. I would be having Oracle database on a Red hat Linux server which would listen to Port 1521(Default port for oracle).

I need to restrict users to this Port.I thought two solutions for this using iptables.

Solution 1 : Set the firewall with iptables rules, to allow ip addresses of a particular subnet to access the Oracle port.Using this rule only machines on the DBserver's subnet are able to communicate with it on Port 1521.

iptables -A INPUT -i eth0 -p tcp --dport 1521 -s ! <subnet mask value>

Solution 2:
Have a list of all valid IP's in a file and set a rule in the iptable to allow access to those IP addreesses only.

iptables -P FORWARD DROP 
for mac in $(cat ipaddressfile); do 
iptables -A FORWARD -m mac --mac-source $mac -j ACCEPT 
done

Please let me know if I am on the right track or if something else needs to be done.Also kindly let me know , which solution would work better looking at the security point of view.

Thanks!
nua7

Annihilannic · August 25, 2008, 7:56pm

It seems to me like the first option would be a lot easier to maintain over time. I can't really comment on the security point of view because it depends on the sensitivity of your data and the security of the network the system is on. There should be security built-in to the database access anyway, so hopefully anything you are donig here is going above and beyond the call of duty anyway?

nua7 · August 27, 2008, 2:17am

Hi!
Finally it has been decided that specfic ip addresses should be allowed to access the database port. Solution 2 which is in my previous post.

Please let me know if you have any suggestions in the solution 2 I mentioned.