On Fri, Jun 17, 2005 at 08:37:54AM +0200 or thereabouts, Serge Vrijaldenhoven wrote:
> Hi all,
> 
> I would like to add that there is a DenyGroups directive that can be added 
> to the /etc/ssh/sshd_config file.
> It's probably not too difficult to add the groups related to grid 
> automatically by the yaim scripts. This might be easier in some system 
> setups.

I have ideas for this coming in from multiple direction all of which
are good. Please add them to the wiki.

> DenyGroups
> This keyword can be followed by a list of group name patterns, separated 
> by spaces. Login is disallowed for users whose primary group or 
> supplementary group list matches one of the patterns. '*' and '?' can be 
> used as wildcards in the patterns. Only group names are valid; a numerical 
> group ID is not recognized. By default, login is allowed for all groups.
> If a user's group matches a pattern in both DenyGroups and AllowGroups, 
> login will be denied.
> Note that all other authentication steps must still be successfully 
> completed. AllowGroups and DenyGroups are additional restrictions and 
> never increase the tolerance. 
> 
> Regards,
>                 Serge
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> Ian Neilson 
> Sent by:
> LHC Computer Grid - Rollout <[log in to unmask]>
> 16-06-2005 17:29
> Please respond to
> LHC Computer Grid - Rollout <[log in to unmask]>
> 
> 
> To
> [log in to unmask]
> cc
> 
> Subject
> [LCG-ROLLOUT] The 'How to blacklist a user" discussion and others.
> Classification
> 
> 
> 
> 
> 
> 
> 
> 
> On Monday 13/06/05 there was activity in several places under the headings 
> of 
> 'jobs attempting to alter ssh setup', 'please remove user from VO' and 
> 'how to 
> blacklist a user'.
> 
> NOTE: It is confirmed by the ROC security contact in question that this
> activity, whilst potentially dangerous and unauthorized, was NOT 
> malicious.
> 
> A number of issues are raised by these discussions which can be analysed 
> with 
> the benefit of hindsight of which I give my brief summary of conclusions 
> for 
> some of them here.
> 
> A) Information was flowing in several places (inter-ROC, ROLLOUT and OSCT) 
> 
> but, given the spread and timing of the discussions, confirmation of the 
> true 
> nature of the activity did not reach the necessary wider audience (site 
> admins) until too late. It was also not clear who should act.
> 
> * confirmed incidents MUST be reported, preferably via the registered site 
> 
> security contact, to -
> 
> project-lcg-security-csirts -at- cern -dot- ch (an equivalent -egee- alias
> exists).
> 
> * security reports which are not confirmed attacks (e.g. information 
> updates
> and discussion) is via the site security contact to the list -
> 
> project-lcg-security-contacts -at- cern -dot- ch (an equivalent -egee- 
> alias
> exists).
> 
> Both of the above should reach registered contact addresses at all sites. 
> Mail 
> subjects should clearly identify the content as HIGH, MEDIUM or LOW impact 
> or 
> INFORMATIONAL. Escalation in both cases due to unavailability and for 
> coordination should be through the affected ROC(s). The ROLLOUT list is 
> NOT 
> seen as appropriate for disclosure of security related information.
> 
> I would say the security-contacts list would have been appropriate in this
> case.
> 
> B) Whilst not grid-specific in its nature, technical information on how to
> contain the behaviour was not available and/or not sufficiently 
> publicised.
> The OSCT will review and update where necessary. For the incident in 
> question 
> a reference has been created here:
> http://goc.grid.sinica.edu.tw/gocwiki/Blocking_batch_jobs_from_creating_ssh_back_doors 
> 
> (Thanks Steve Traylen).
> An additional source of general security information is published here:
> http://goc.grid-support.ac.uk/gridsite/operations/security_info.php
> and here: 
> https://cic.in2p3.fr/index.php?id=roc&subid=roc_security&js_status=2
> 
> C) Availability of contact data for VO management and access to user 
> contact
> data for site administrators (currently only readily available through 
> mail
> contact with the VO) is unclear. This needs to be addressed, no immediate
> solution is available but I will add a web page with contact points for 
> this 
> and A) above together with their purpose.
> 
> I would welcome feedback on any aspect to help in improving procedures for 
> the 
> future.
> 
> Ian
> 
> | Ian Neilson, LCG/EGEE Security Officer
> | Grid Deployment Group, CERN
> | Tel: +41 (0)22 76 74929
> 
> 
> 
> 

-- 
Steve Traylen
[log in to unmask]
http://www.gridpp.ac.uk/