Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
If he has a unique account or is a member of a specific group, then you can use nftables to filter outgoing packets according to the UID or GID of the originating socket. See 'man nft' and https://wiki.nftables.org/. That can limit outgoing connections to specific addresses. Don't forget about allowing DNS and ICMP while tightening things down.
However, in general that is more of a staffing problem than a technical problem. If he cannot be trusted, then he should not be in the network. Or is there something more complex there?
if he could log in as root - he can do anything without any restriction (on that host).
Probably you need a regular user account instead with special sudo rights.
@Turbocapitalist.
He cannot be trusted simply because is an external technical support for our website, and when he works on the server with his specific user (wordpress) we don't seat beside him.
So all servers on the same segment are accessible.
@pan64
He hasn't the root credential
He just has to work on the server, and the wordpress user doesn't have any need to go on the network.
Is it necessary for the user to have direct access to the server? Once Wordpress is setup the rest is usually managed through the admin panel via web browser / web interface. You should also be able to setup users and fine grain their access rights from the same panel.
A user should never be allowed to login as root via ssh. In fact, on most systems that is disabled by default.
The user should have his own account and only be able to login locally or ssh into that.
Then the sudoers file should be carefully configured to allow that specific user to do only those admin tasks you want him to do. It can be done with careful planning.
The sudo log then will log each command he runs and you will have the audit trail needed.
Additionally his .bash_history file will log what commands are run by his user and the default count there is, I think, 1000 entries, although that can be changed.
It is obvious that for his task there must be some level of trust, but the least possible access is the best for security purposes. Giving him root access via ssh is potentially an enormous security breach.
Is it necessary for the user to have direct access to the server? Once Wordpress is setup the rest is usually managed through the admin panel via web browser / web interface. You should also be able to setup users and fine grain their access rights from the same panel.
I agree. WP should be administered using the Wordpress admin panel. Disable that user’s ability to access the system any other way.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.