yurisk.info

Yuri Slobodyanyuk's blog on IT Security and Networking sharing experience and expertise

Time-based access limiting on Checkpoint or any Linux for that matter

Time-based access-lists in Cisco world are available since … last century for sure. But is it possible that Linux doesn’t have anything like that ? No way – of course it can do and do it better. Here is how .
Access control based on time of the day is available via pam module, and as almost all software today supports working with pam modules, it means it is available universally.
Steps to do it are these:

  • Enable pam_time.so module for the software of interest in its config file in /etc/pam.d ;
  • Configure time range(s) when this service is accepting connections using file /etc/security/time.conf
  • Most probably restart the service and we are set.
  • E.g. Let’s restrict user ftp_user so that it is able to connect to vsftpd daemon only during working hours of the weekdays.
    – Add to file /etc/pam.d/vsftpd the following line
    account required /lib/security/pam_time.so
    – Set time limits in /etc/security/time.conf with this line
    vsftpd;*;ftp_user;Wk0800-1700
    – Restart vsftpd to force it using pam_time.so module (need to do it just first time)
    #service vsftpd restart
    And now during the off-limit hours the ftp_user will not be able to connect by FTP, that is it .

    For Checkpoint all the above holds true, but as you don’t have much servers there , the most probable candidate for such restrictions is ssh daemon. For example firewall that the client has access by ssh to it as well – while mail alerts for such access (see Mail alert on ssh access in Checkpoint) will warn me about such access, it does me no good if someone on client side accesses the firewall at 02:00 am at night and I get alert . But if it happens during working hours only, I can see such alert and act in real time.
    Example for limiting ssh access to the firewall to working hours only.
    /etc/security/time.conf :
    sshd;*;client_user;Wk0900-1900
    /etc/pam.d/sshd :
    account required /lib/security/pam_time.so



2 Comments

  1. Hi Yuri, What about time based access via dashboard config, why it could be better to config it via pam.d?
    Thanks

  2. Yuri

    December 6, 2011 at 9:56 pm

    Hi , well , actually there is no good reason to limit access this way and not via Dashboard I could come up – I did it just to extend CP limits 🙂 . In new versions of Checkpoint configuring time range for a rule is indeed a breeze.

Comments are closed.

© 2016 yurisk.info

Theme by Anders NorenUp ↑