LinuxQuestions.org
Latest LQ Deal: Linux Power User Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 10-24-2012, 05:59 PM   #1
Obscurious
LQ Newbie
 
Registered: Jun 2009
Distribution: Debian, RHEL, FreeBSD
Posts: 17

Rep: Reputation: 0
Apache User and Shell Security Question


I just setup a wordpress server running ubuntu. In order to get the pointy-clicky updates to work I had to setup SFTP on the server. I installed vsftpd and opened the port. After forcing encryption I enabled local accounts access to the SFTP server. Since apache serves wordpress I needed to give www-data access to the SFTP server. I set the www-data password, and added /usr/sbin/nologin to the file /etc/shells.

This method works but I am concerned about security:

1) Setting the password on a system account seems like a bad idea. I have SSH locked down via AllowUsers, but I don't know enough to be certain that this didn't open a hole internally. Is this generally a bad idea and is there an alternative approach?

2) I understand that /etc/shells is just a list of users' shells that vsftpd will accept, but I have never come across the nologin shell before. Researching I found that it is a way to refuse logins and thus a way to cordon off system accounts. Hence I feel a little dirty adding access to accounts that we want to not have access. Did I just give every system account access to the SFTP server?
 
Old 10-24-2012, 07:44 PM   #2
chrism01
LQ Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.8, Centos 5.10
Posts: 17,254

Rep: Reputation: 2328Reputation: 2328Reputation: 2328Reputation: 2328Reputation: 2328Reputation: 2328Reputation: 2328Reputation: 2328Reputation: 2328Reputation: 2328Reputation: 2328
I'd just like to clarify something.
SFTP is the Secure FTP option within the ssh pkg.
You can alternatively(!) use vsftpd+TLS.
They are however completely unrelated and you (probably) only need one or the other.
Does that help?
 
Old 10-25-2012, 01:50 AM   #3
jsaravana87
Member
 
Registered: Aug 2011
Location: Chennai,India
Distribution: Redhat,Centos,Ubuntu,Dedian
Posts: 558
Blog Entries: 5

Rep: Reputation: Disabled
Quote:
1) Setting the password on a system account seems like a bad idea. I have SSH locked down via AllowUsers, but I don't know enough to be certain that this didn't open a hole internally. [B]Is this generally a bad idea and is there an alternative approach?
Alternatives solution you can also try vsftpd with virtual user which lock the ftp user to login via ssh .Look after the link

http://www.cyberciti.biz/tips/centos...ual-users.html
 
Old 10-25-2012, 03:26 PM   #4
Obscurious
LQ Newbie
 
Registered: Jun 2009
Distribution: Debian, RHEL, FreeBSD
Posts: 17

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by chrism01 View Post
I'd just like to clarify something.
SFTP is the Secure FTP option within the ssh pkg.
You can alternatively(!) use vsftpd+TLS.
They are however completely unrelated and you (probably) only need one or the other.
Does that help?
You are absolutely correct. I need FTP + TLS since wordpress only has FTP capabilities. Thanks.
 
Old 10-25-2012, 06:21 PM   #5
Obscurious
LQ Newbie
 
Registered: Jun 2009
Distribution: Debian, RHEL, FreeBSD
Posts: 17

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by arun5002 View Post
Alternatives solution you can also try vsftpd with virtual user which lock the ftp user to login via ssh .Look after the link

http://www.cyberciti.biz/tips/centos...ual-users.html
Wow, this is a really cool feature that I didn't know existed. Thank you!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Apache Rewrite Security Question ddenton Linux - Server 2 03-04-2008 02:50 PM
apache security question - mod_proxy? asif2k Linux - Security 3 04-17-2006 04:25 PM
User-dir security in Apache document roots papertygre Linux - Security 5 08-24-2004 01:24 PM
Apache user and disabling shell dai Linux - Security 2 07-02-2003 04:36 PM


All times are GMT -5. The time now is 11:20 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration