I have a computer running SSH that I would like to give my friends access to, but I do not want them to use my internet connection through SSH tunnelling (although I'd like to do so myself). Is there a way to have a log of when SSH tunnels are created and by which (local) users, or, if that's not possible, only allow some users to do so?
SnapOverflow
If your friends are able to SSH onto your computer, they are using some of your bandwidth and it is therefore impossible to completely block them access to your Internet connection.
That being said, one solution would be to limit what your friends can do with your connection. You could set up a firewall that whitelists your friend's IPs and blacklists everything else. That way, your friends could SSH onto your computer but from there, wouldn't be able to reach any other IP than their own.
I have never setup a user specific firewall myself, but I believe it is possible to achieve with IPTables. Also, keep in mind that your users could still eat up a lot of your bandwidth by uploading big files on your server. If you specifically want to prevent this, you would have to limit bandwidth per user.
You want to make sure /etc/ssh/sshd_config contains
and then at the end of the file put
This will allow you and only you to port-forward to your hearts content, but as João said you wont be able to prevent them runing their own programs unless you also disable shell access.
Note that while you can disable TCP Forwarding by sshd, you need to go a lot further to restrict your users' outgoing activity. Giving them a shell means giving them a lot of power.
For instance, if they can scp files to the server and execute files in /home, they can simply upload a pppd binary, and use that to run PPP over SSH. If you allow incoming connections they can just run
/usr/sbin/sshd -p 9999 -f special_sshd_configand use your server through that sshd.You may want to look into iptables owner module (man iptables, search for owner) and chroot jails, but this is really hard to solve without ruining their shell experience.
The only option I am ware of is to disable tunneling at the system level.
Edit /etc/ssh/sshd_config, and change/add
Please note that while having shell access there is no way to prevent users from using their own binaries for forwarding connections.
This has been asked on serverfault, too https://serverfault.com/questions/181660/how-do-i-log-ssh-port-forwards and there's a patch: http://blog.rootshell.be/2009/03/01/keep-an-eye-on-ssh-forwarding/
First iteration:
Disable ssh forwarding for them. in ssh
You enable IPSec for yourself and VPN to your server. IPSec is network level so is unaffected by SSH application settings.