Suggestion: Limit outbound TCP by UID
Posted: 03 Sep 2013, 17:08
First off, I really REALLY like CSF. It's an awesome piece of work! Thank you so much for creating and supporting it!
One small suggestion that would be really useful: CSF already allows me to limit outgoing SMTP connections to specific users and groups (SMTP_ALLOWUSER and SMTP_ALLOWGROUP). It would be very handy if the same type of exceptions could be made for all outgoing TCP connections. In other words, users/groups in the exception list would be able to make outbound connections to ports that are not listed in TCP_OUT. An even better solution would be a way to have a "restricted" list for this purpose. In other words, everyone can make outgoing connections to ports in TCP_OUT but only "allowed" users could make outgoing connections to ports in TCP_RESTRICTED (or whatever). For still more bonus points, getting notified whenever a non-allowed user tried to create an outgoing connection to a restricted port would help me find malicious scripts as soon as they run.
My motivation: I recently discovered one of the websites on my server had been compromised and was being used as a proxy for attacking other servers (trying to bruteforce passwords). I would like to block outgoing connections to port 80 and 443, but that breaks a lot of stuff (cPanel, csf, Wordpress) that rely on hitting URLs to check/download updates. If I could block outgoing connections to port 80 and 443 for all users except root, cpanel, etc, I'd sleep better at night. Wordpress still wouldn't be able to update automatically, but I could live with that.
Thanks again!
-- Sam
One small suggestion that would be really useful: CSF already allows me to limit outgoing SMTP connections to specific users and groups (SMTP_ALLOWUSER and SMTP_ALLOWGROUP). It would be very handy if the same type of exceptions could be made for all outgoing TCP connections. In other words, users/groups in the exception list would be able to make outbound connections to ports that are not listed in TCP_OUT. An even better solution would be a way to have a "restricted" list for this purpose. In other words, everyone can make outgoing connections to ports in TCP_OUT but only "allowed" users could make outgoing connections to ports in TCP_RESTRICTED (or whatever). For still more bonus points, getting notified whenever a non-allowed user tried to create an outgoing connection to a restricted port would help me find malicious scripts as soon as they run.
My motivation: I recently discovered one of the websites on my server had been compromised and was being used as a proxy for attacking other servers (trying to bruteforce passwords). I would like to block outgoing connections to port 80 and 443, but that breaks a lot of stuff (cPanel, csf, Wordpress) that rely on hitting URLs to check/download updates. If I could block outgoing connections to port 80 and 443 for all users except root, cpanel, etc, I'd sleep better at night. Wordpress still wouldn't be able to update automatically, but I could live with that.
Thanks again!
-- Sam