User based remote port access

Red Squirrel

No Lifer
May 24, 2003
68,878
12,828
126
www.anyf.ca
What is the easiest way to allow users to access a certain external port, but by username? Ex: I make them an account in the system, then I can choose which ports/IPs on my network they can access. Would Open VPN allow this?
 

Nothinman

Elite Member
Sep 14, 2001
30,672
0
0
A VPN might work, but they'd need a VPN client so it's not really the same thing. There's no way to do that with raw TCP, you need something at the application layer to ask for the username/password and grant access to it's service.
 

Crusty

Lifer
Sep 30, 2001
12,684
2
81
You can easily tie various types of VPN services to an authentication agent like LDAP, RADIUS, or even some of MS's proprietary protocols like MSCHAP. You're going to need a hardware device to provide the VPN services and then your authentication server. I doubt there's going to be a totally free solution that's easy to implement. I use a Cisco ASA firewall tied to a Windows Server 2k8 using Kerberos + LDAP for authentication/authorization. It would be a pain to set it up for each user to have a different port(lots of administrative work), but it's trivial to create the policies based on different LDAP criteria(like Group membership). Different groups get different IP addresses from the VPN and have access to different services/networks/ports/whatever on the internal network.
 

Red Squirrel

No Lifer
May 24, 2003
68,878
12,828
126
www.anyf.ca
What about open VPN does it support any user based policies? I don't need anything fancy like ldap or radius as the userdb. I don't plan to have many users use the system.
 

Brazen

Diamond Member
Jul 14, 2000
4,259
0
0
OpenVPN creates a virtual port on the server that can be restricted by the firewall just like any other port. If all your users need access to the same ports, then this would be easy. If each user will need access to different ports, then you may have to get creative with running multiple OpenVPN daemons on multiple ports.
 

Brazen

Diamond Member
Jul 14, 2000
4,259
0
0
If you give more information about what you are trying to accomplish, we may be able to come up with better solution.

Another possibility I've thought of is using ssh with port tunnelling, but I'm not sure if you can restrict port tunnelling (I've never needed to restrict it, but I'm thinking you can). I'm pretty sure you can set per-user settings for the ssh daemon though. I _think_ it's even possible to disable an interactive shell with ssh and only allow tunneling. At the least, you can set the users shell to /sbin/nologin in /etc/password, which will restrict any interactive shell either locally or remotely.
 

Red Squirrel

No Lifer
May 24, 2003
68,878
12,828
126
www.anyf.ca
Basically what I want is give people a VPN account, so they VPN in to the same port. Now from the VPN server/tunnel I want them to have access to various ports.

Ex: vpn user connects to the vpn, that user has access to 10.1.1.10 port 80 only, rest is blocked. Another user logs in with their account, but may have a bit more access.

In my current case 1 user is me, so I get most access, and another user is a dev for a specific project (so I only want his account to have access to anything related to that project)

Though another thing I'm thinking of doing is just setup my VMs behind their own individual firewalls then I'd have multiple ssh ports open. For what I'm doing this may do the job. So say I have 10 devs for one project they all use the same port as they all require the same access anyway. This way I could even give them vnc access and all and they are locked in that one vm (no outgoing access).