Date: Sun, 24 Nov 1996 21:01:54 +0200 (GMT) From: Thamer Al-Herbish <shadows@whitefang.com> To: questions@freebsd.org Subject: Re: Keeping users from bind'ing to ports Message-ID: <Pine.SOL.3.91.961124205525.476D-100000@localhost> In-Reply-To: <199611230016.SAA06854@main.gbdata.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 22 Nov 1996, Gary Clark II wrote:
> David Langford wrote:
> >
> > Is there a way of keeping some users from being able to run programs
> > that bind to ports over 1024? (i.e. to keep users from running servers)
> I don't know any of doing ths except maybe
> with IP firewall. Anyone else?
A while back I wrote a hack that basically ran netstat for all listening
ports, then did a reverse ident query to find out which users where
running what on what port. There's one problem there, you only know userX
ran something on port xxxx. I realy wouldnt do this, you have to realise
there are programs at user level that bind to a port. FTP comes to mind
where the client opens up an additional port to get the data from.
Ofcourse like I mentioned earlier userX running on port xxx, not a pid
number there. Look into pidentd and check their code for FreeBSD, how
they query the kernel for the open ports etc.
The best solution is to use an ip firewall, run all ftp/http/etc through
a proxy.
--
Thamer Al-Herbish
shadows@whitefang.com
shadows@kuwait.net
-=WhiteFang UNIX Software Development and Consultancy=-
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.SOL.3.91.961124205525.476D-100000>