Using Solaris and Linux servers and OpenSSH, is it possible to prevent users from copying files using "scp" while still allowing shell access with "ssh"?
I realize that 'ssh $server "cat file" ' type file accesses are much harder to prevent, but I need to see about stopping "scp" for starters.
Failing that, is there a way to reliably log all SCP access on the server side through syslog?
While you could edit your
/etc/ssh/sshd_configto look something like this:I would instead determine what the user is likely to use it for. Because if there are only a few commands that you want them to have access to, I would instead remove the ability for them to even invoke a normal
sshshell.If you find that you really do need to be able to run a normal shell, the most you really can hope for, is to slow them down, and make it more difficult.
As others have noted, you can't block scp (well, you could:
rm /usr/bin/scp, but that doesn't really get you anywhere).The best you can do is to change the users' shell to a restricted shell (rbash) and only then to run certain commands.
Remember, if they can read files, they can copy/paste them off the screen. Binary files? xxd/uuencode/mmencode all get around this.
I'd also suggest using process accounting to help you track activity.
You gain nothing by stopping "scp" when you're still allowing literally infinite additional mechanisms of transferring files. Disallowing scp but allowing other mechanisms of copying files is a method of lying to auditors. Often auditors ask to be lied to. Usually I see auditors working with managers to make fake fixes, so that they can state something like "the scp file transfer command has been disabled, so that files can not be copied from the server using scp".
Now a reasonable logging mechanism would be nice. Maybe auditd finally works on Linux. Maybe Solaris finally added some mechanism or dtrace could be used safely. It's reasonable to want the OS to log every time a file is accessed. Of course there's no difference between "reading" and "copying". But this can satisfy an auditor and give significant security to the system. Your logs could be so noisy that the data is useless, or even that you're forced to keep a ridiculously short audit trail. (e.g. you can't log every read() - and one application that does something surprising can make logging every open() a disaster).
Depending on what SSH is needed for, you may be able to achieve this goal (for non-trivial) files by using IPTables to terminate sessions if the packet size is bigger then, say 1400 bytes. This means that interactive ssh will mostly work, but as soon as something tries to send a 1500 byte packet - like scp should for a file larger then 1499 bytes assuming a standard MTU of 1500, it will terminate the connection.
This will also prevent the "catting" attack you mention.
Unfortunately this means that you may have problems editing some files with a text editor, if the screen needs to draw more then 1400 characters, or if you need to cat a long file or do a long directory listing.
In the simplest case a command to do this might look something like
We can make this work better by combining the packet length checks with ipt_recent, so that you allow a limited number of packets larger then 1400 bytes within a set timeframe (say 8 packets per 5 seconds)- this would allow packets up to 12k to slip through, but may give you the interactivity you will need for editing files etc. You can, of course, tweak the number of packets.
This might look something like
The rule examples above only protect against scp uploads such as
scp myfile.data remote.host:~. To additionally protect against scp downloads such asscp remote.host:~/myfile.data /local/path, repeat the above rules but replace--dportwith--sport.A clueful hacker can work around these limitations by setting an MTU of less then 1400 on his machine (or force mtu or similar). Also, while you can't limit this to certain users, you can limit it by IP by modifying the iptables lines as appropriate !!
Cheers, David Go
No.
scpandsshoperate on the same ports and use the same protocol. If you open ansshsession, you can even share your connection with subsequent scp calls using options likeControlMaster.If you do not want people to copy particular files off of a machine, you should not give them any kind of shell access to the machine.
Your best bet isn't to lock down scp, but to use a file system with ACLs to prevent read access. You could probably do something with SELinux to prevent certain applications from reading from certain files.
I believe you can uninstall openssh-clients (or equivalent) on the server.
I think scp client invokes scp on the server when copying data over so if you get rid of scp on the server, then you should be fine.
The solution given by @Tomas works great that deleting/renaming
/usr/bin/scpdoes prevent incoming and outgoingscpfile transfer. However, you must also block all other ports from server to client, and from client to server. Otherwise, your hackish users can runnc -l <PORT>to listen on one side and runnc <TARGET-IP> <PORT>to establish a TCP/IP connection and directly transfer data.Even with this, you still also need to disable X11 forwarding, otherwise, an advanced hackish user can build an X11 app and transfer data via X11 tunnel.
There is a way to use 'scponly' as the shell to disable interactive ssh and allow scp, but I am not aware of anything existing that works in the reverse manner.
You may be able to explore hacking the scponly shell to accomplish the reverse.
This is not possible actually after a little googling.
Check out this discussion: http://www.mydatabasesupport.com/forums/unix-admin/387261-how-restrict-ssh-users-block-scp-sftp.html