LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 08-18-2003, 10:42 AM   #1
salami
LQ Newbie
 
Registered: Aug 2003
Location: Basel, Switzerland
Distribution: Debian & Mandrake
Posts: 4

Rep: Reputation: 0
security tips for providing shell access with debian 3.0 stable?


hi!

i'm running a linux server on debian 3.0. since lot's of people seem to need shell access somewhere, i'd like to provide it to my friends.

since i'm more like a newbie concerning linux security, i have no idea what i have to change/disable in order to get "secure shells".

for example, i'd like to provide the user with "ping" but i want limited access for packet size, interval etc.

i hope i am not the first one with this problem and someone can point me to a nice tutorial on how to secure a debian box for shell access :-)

thanks a lot!
 
Old 08-18-2003, 11:16 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,665
Blog Entries: 54

Rep: Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952
since i'm more like a newbie concerning linux security, i have no idea what i have to change/disable in order to get "secure shells".

Have a look at the "FAQ: Security references" sticky thread and these two threads about shell account servers: http://www.linuxquestions.org/questi...threadid=72862 http://www.linuxquestions.org/questi...threadid=65514 .

What you will be doing is allowing people access to your system, your resources. Even if you know them face to face, they could be unwillingly unleash applications or attract situations that could harm the systems operability or connectivity. What you need is to lessen the risks of someone breaking or compromising the system.
What I would suggest is, in addition to the resources mentioned, to do like commercial servers, and group users by level of need. Restrict access to daemons/network, and allow specific restrictions to be lifted per group or even per user.

for example, i'd like to provide the user with "ping" but i want limited access for packet size, interval etc.
IMO a "more secure" scenario would go like this:
Unset the suid bit and make ping only accessable by root.
Code a frontend using the systems authentication (sudo, PAM db+ Perl, PHP, Tcl, whatever), drop the validated input to a script, add a temporary netfilter rule with limits, execute and clean up.

Also have a look at alternatives like hping2, nmap, lft, tcptraceroute. If you use precoded frontends make sure you test them well and disable any options you do not explicitly need.


I haven't seen something like a "shell account provider HOWTO", hope you read then "Securing Debian" one tho.
 
Old 08-18-2003, 11:39 AM   #3
salami
LQ Newbie
 
Registered: Aug 2003
Location: Basel, Switzerland
Distribution: Debian & Mandrake
Posts: 4

Original Poster
Rep: Reputation: 0
thanks!

i guess your post will provide me with more than enough security infos :-)

(i just hope i get some time to read everything...)
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Providing WebDAV access to users directories? GameDNA Linux - Networking 1 12-04-2004 11:32 PM
Providing access to all Samba Shares mahaffeync Linux - Software 2 07-19-2004 12:43 PM
Multi User Security Tips jestah84 Linux - Security 2 05-12-2004 11:08 AM
tips for user security spoody_goon Linux - General 3 02-01-2004 10:05 AM
Maintaining RH 9 Security Tips statmobile Red Hat 1 12-06-2003 04:48 PM


All times are GMT -5. The time now is 03:47 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration