keeping non-root user out of Perlbal mgmt
Mark Smith
smitty at gmail.com
Thu Feb 14 21:42:10 UTC 2008
> This isn't really a security solution. But if you're stuck running Perlbal
> on a machine that has to have non-root users with shell access and you
> want to keep them from using "telnet localhost 60000" (or whatever), the
> following might help:
>
> iptables -A OUTPUT -s 127.0.0.1 -d 127.0.0.1 -p tcp \
> --dport 60000 -m owner ! --uid-owner root -j REJECT
As an interesting note, I ran into an issue before where this sort of
filter could be tricked by setting up an ssh tunnel. Since ssh runs
as root or starts as root the traffic was marked as coming from root?
(I was faking out mailservers at my college this way so it said mail
was coming from root at whatever ...)
Might be worth a check, I'd be curious if this still works. Either
way, neat suggestion! Perhaps something could be done to make Perlbal
use something else for the management port concept, so only certain
users could connect.
--
Mark Smith / xb95
smitty at gmail.com
More information about the perlbal
mailing list