LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 11-14-2003, 01:56 PM   #1
pembo13
Member
 
Registered: May 2003
Location: Caribbean
Distribution: Fedora Core2
Posts: 403

Rep: Reputation: 30
Advice on user setup please


Thank you to all for your interest,

I'm setting up a website. And I'd like to allow users specific capabilties. Basic for most Basic + Optional for some others. I would like information and advice as to how to go about setting up these accounts for maximum security on my LinuxBox.

Basic :
- FTP access (chrooted)
- Email access
- some of their files need to be fully accessible via apache without contstant chmod'ing.
- No local login
- Quotas
- Quota reports
- No file handling or other such capabilties outside their home-dir

Optional/Additonal
- SSH remote access
- SFTP (is it possible to chroot this?)
- Allowing of only commands/resources which affect solely their account


Thank you.
 
Old 11-15-2003, 04:53 PM   #2
TheOther1
Member
 
Registered: Feb 2003
Location: Atlanta, GA
Distribution: RHAS 2.1, RHEL3, RHEL4, SLES 8.3, SLES 9, SLES9_64, SuSE 9.3 Pro, Ubuntu, Gentoo
Posts: 335

Rep: Reputation: 32
For FTP, I use VSFTP

Email, either give them accocunt or not. Email security is complex and would rerquire a LOT of explaining. Which email program are you planning on using?

some of their files need to be fully accessible via apache without contstant chmod'ing: Some or all? If all, maybe you can set the folders up as watched folders that would chmod automatically

No file handling or other such capabilties outside their home-dir: chroot them.

No local login: If they do not need to login via SSH or telnet, make the the login shell /dev/null or /sbin/nologin. If they need remote logins, see Security-HOWTO

Quotas & reports: man quota

SSH is pretty simple. If they have an account and you have SSH installed and the daemon is running, you're all set.

SFTP chrooted?: Depends on the FTP daemon.
 
Old 11-15-2003, 05:40 PM   #3
pembo13
Member
 
Registered: May 2003
Location: Caribbean
Distribution: Fedora Core2
Posts: 403

Original Poster
Rep: Reputation: 30
Ok thanks alot,

you msiunderstood a bit. I already know how to setup the services...infact they are already owrking. I just want to be very paranpod about these accounts and so setup them up as best as possible.

I use VSFTP'd myslef but SFTP connections don't get chrooted and from what i gather SFTP foes through SSH.

Thanks alot
 
Old 11-15-2003, 06:48 PM   #4
TheOther1
Member
 
Registered: Feb 2003
Location: Atlanta, GA
Distribution: RHAS 2.1, RHEL3, RHEL4, SLES 8.3, SLES 9, SLES9_64, SuSE 9.3 Pro, Ubuntu, Gentoo
Posts: 335

Rep: Reputation: 32
OK, Gotcha! Email me and I will send you a document from IBM on Securing Linux for xSP's. I can't find it on their website anymore...

linuxDOTrocksATcomcastDOTnet

Replace DOT with . and AT with @
 
Old 11-15-2003, 06:56 PM   #5
pembo13
Member
 
Registered: May 2003
Location: Caribbean
Distribution: Fedora Core2
Posts: 403

Original Poster
Rep: Reputation: 30
In fear of spammer etc. use this address to email me pembo13@hotmail.com. I couldn't fid your email adddress and my PC was crashing - I'm in Windows that's why...my fault...

Thank you.

Rigth now i can't see what i'm typping so forgie the spelling errors.
 
Old 11-17-2003, 10:44 AM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,564
Blog Entries: 54

Rep: Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927
Properly harden your system first, then refine access control.


- FTP access (chrooted)
Like TheOther1 said: Vsftpd. use with virtual user accounts. Read Vsftpd's examples. See Markus' site and LQ trhreads for basic setup.


- Email access
I'd say about anything with an "S" behind it, like POP3S.


- some of their files need to be fully accessible via apache without contstant chmod'ing.
- No local login
- Quotas
- Quota reports
- No file handling or other such capabilties outside their home-dir
- SSH remote access
- SFTP (is it possible to chroot this?)
- Allowing of only commands/resources which affect solely their account

Local logins can be denied and OpenSSH can be used in a chroot. Check out the LQ FAQ: Security references, post #4, "Chroot, chrooting, jailing, comparimization", see Chrootssh, Scponly and Rssh. Chrooting requires you to have binaries in the chroot to work. Use Busybox to minimise diskspace requirements.


Email me and I will send you a document from IBM on Securing Linux for xSP's. I can't find it on their website anymore.
Please post doc details like Title, URI, author issue date.
 
Old 11-17-2003, 12:56 PM   #7
pembo13
Member
 
Registered: May 2003
Location: Caribbean
Distribution: Fedora Core2
Posts: 403

Original Poster
Rep: Reputation: 30
Ok great. Thanks for the information.

I'll get surfing ASAP.

Merci
 
Old 11-17-2003, 01:01 PM   #8
pembo13
Member
 
Registered: May 2003
Location: Caribbean
Distribution: Fedora Core2
Posts: 403

Original Poster
Rep: Reputation: 30
Ok great. Thanks for the information.

I'll get surfing ASAP.

Merci
 
Old 11-18-2003, 09:29 PM   #9
TheOther1
Member
 
Registered: Feb 2003
Location: Atlanta, GA
Distribution: RHAS 2.1, RHEL3, RHEL4, SLES 8.3, SLES 9, SLES9_64, SuSE 9.3 Pro, Ubuntu, Gentoo
Posts: 335

Rep: Reputation: 32
UnSpawn,

Doc is "Securing Linux Servers for Service Providers" by Bill Hilf (billhilf@us.ibm.com) dated 12/21/01. The PDF I have is named Securing_Linux-Servers_xSP-exteernal.pdf but that doesn't mean it was always named that... Don't recall where I actually got it.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Advice on RAID setup banhbao Linux - Hardware 5 03-04-2005 04:27 PM
Advice on VPN setup rwalkerphl Linux - Newbie 0 09-21-2004 01:26 PM
Printer setup advice mike8994 Mandriva 1 04-15-2004 10:36 AM
Network Setup Advice jayptr Linux - Networking 3 03-16-2004 12:21 PM
I need advice on distro and setup. thelandrew Linux - Newbie 14 03-12-2004 04:54 AM


All times are GMT -5. The time now is 06:23 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration