0

Operating System : CentOS Linux 7 (Core) File Manager : Thunar 1.6.16

Trying to achieve : Users should not copy files to other servers via SFTP. But the blocking mechanism should not block users from do ssh to this machine.

Things I done :

  • sftp Binary removed from this PC
  • Commented below line in /etc/ssh/sshd_config and restarted sshd service
  • Subsystem sftp /usr/libexec/openssh/sftp-server

Tried all these, but still users are able to connect to SFTP Server by giving address like ftp://server-ip in File Manager ( Please see below picture)

enter image description here

Improve this question
1
  • 1
    You would have to block outgoing connections to remote port 22 on the local firewall (the servers might run on non-default port though).
    – Martin Prikryl
    Commented Apr 5 at 10:40

2 Answers 2

Reset to default
1

Trying to achieve : Users should not copy files to other servers via SFTP.

They will still be able to copy files to other servers via SSH even if it's not via SFTP. They can still scp, rsync, git push, tar|ssh, cat|ssh, base64 and copy/paste to ssh...

Commented below line in /etc/ssh/sshd_config and restarted sshd service

The service is not used for outgoing connections. Its job is to accept incoming connections.

Tried all these, but still users are able to connect to SFTP Server by giving address like ftp://server-ip in File Manager ( Please see below picture)

Thunar uses GNOME's Gvfs for general remote URL support. The support for sftp:// URLs is provided by gvfs-sftp, which might be a separate package or it might be part of the main Gvfs package. It uses the 'ssh' command internally, but it doesn't use the 'sftp' command.

Improve this answer
3
  • Thanks for your inputs , my intention is to maximum reduce the possibility to move files out from this box ( rsync , scp all these binaries I removed , git is not installed , users are accessing this server via a vnc remote connection )
    – Arun
    Commented Apr 5 at 11:25
  • You can't really achieve that if you allow outgoing SSH.
    – grawity_u1686
    Commented Apr 5 at 11:54
  • Any option to disable outgoing ssh (outgoing ssh is not required )?
    – Arun
    Commented Apr 5 at 12:02
-1

With the input from all other answers , I changed ssh command access only for root. after that file manager application is unable to connect to sftp server.

[user1@server1 ~]$ which ssh
/usr/bin/ssh
[user1@server1 ~]$ ls -l /usr/bin/ssh
-rwxr-xr-x 1 root root 774544 Nov 24  2021 /usr/bin/ssh
[user1@server1 ~]$ sudo chmod 700 /usr/bin/ssh
[sudo] password for user1: 
[user1@server1 ~]$ ls -l /usr/bin/ssh
-rwx------ 1 root root 774544 Nov 24  2021 /usr/bin/ssh
[user1@server1 ~]$

enter image description here

Improve this answer
7
  • You write about sshd, yet your commands are about ssh. + This hardly blocks SSH/SFTP access. User can use any other SSH/SFTP client.
    – Martin Prikryl
    Commented Apr 7 at 5:03
  • @MartinPrikryl Thanks for pointing out, that was a typo, corrected now. Users don't have admin access to install any other utility/software.
    – Arun
    Commented Apr 7 at 13:51
  • And did you block any scripting language, curl, etc?
    – Martin Prikryl
    Commented Apr 7 at 15:01
  • @MartinPrikryl this server don't have internet access ( curl not blocked )
    – Arun
    Commented Apr 9 at 9:24
  • 1
    Imo, this should be better solved by firewall, not by blocking applications.
    – Martin Prikryl
    Commented Apr 9 at 14:29

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .