I'm trying to block users with command line access to a RHEL7 server from easily exporting large chunks of data wholesale. I'd like to block outgoing email, ftp, sftp, etc.
I understand that there are limitations to what can be achieved. If a user has unrestricted access to data, then they could dump it to the screen and cut and paste, for example. But I'd like to make it at least slightly difficult.
I've seen the suggestion to add accounts to /etc/mail/access and REJECT each account that shouldn't be allowed to send. This is feasible, given the number of users. But the sendmail daemon does not seem to be running by default and there's no /etc/mail directory. Should I just create it and make an /etc/mail/access config file and make the database? Or is there a different default location of this file on RHEL7?
And would this prevent something like the following from working?
mail [email protected] < bigpileofdata.txt
Can outgoing sftp be disabled while allowing standard ssh command line connections? I suppose incoming should be blocked as well, given that they'd be able to create a local file in their account and then download it via sftp. Outgoing ssh could be blocked entirely, but incoming ssh needs to be allowed or the user won't be able to use the server at all.
I'm open to other suggestions for clamping down.
Thanks for your thoughts.
What about using something like iptables to block outgoing traffic on a per user basis? Any potential pitfalls?