LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 03-23-2003, 11:33 PM   #1
Silly22
LQ Newbie
 
Registered: Mar 2002
Location: Edmonton, AB
Distribution: Mandrake 10.2, Ubuntu 6.10
Posts: 26

Rep: Reputation: 15
Need tips on Apache and ProFTPd


Hi guys,

I'm still a newbie and don't know what are the generally accepted practices for achieving the following goal while keeping security in mind:

1. I want to run a web server where my friends can use my Linux box to host their web sites.

I'm planning on using virtual hosts in apache to direct requests to different user directories in /home.
i.e. www.blah.com --> /home/blah.
www.foobar.com --> /home/foobar

I'd like it to be secure so that users don't have access to another user's directory or my root directories like /etc. or /var, etc.

Preferably, i'd like some users to have shell access and all users have ftp access to their directories (for now please pretend that ftp protocol is secure, i will be switching to sftp or scp). I was looking at using chroot to keep users in their directories but i've read that it's trivial to bust out. Then i read about chroot jails (from the Jail Chroot Project), which are better, but take a lot of work to configure and to make sure they are secure.

Then i thought maybe i'll make it so that no users will have shell access, just ftp access so they can administer their web sites. I would then use the directive DefaultRoot in ProFTPd to chroot the user into their home directory. I think this would be a safe option but of course the user loses functionality because of no shell access.

Any other ideas? What's the best solution?
 
Old 03-28-2003, 12:50 PM   #2
bahamat
Member
 
Registered: Mar 2003
Distribution: Debian
Posts: 158

Rep: Reputation: 30
Ok, first of all let me just state that your ISP probably won't like you registering a domain on their IP addresses (unless you are your ISP, or have a very friendly one) so we'll leave the discussion of domain registration, bind and apache virtual hosts alone.

User security:
For users that you don't want to give shell access to set their shell to /bin/false in /etc/passwd.

In /etc/proftpd.conf you'll have to set RequireValidShell to Off.

Add all users to a single group, users is a good choice, and restrict default perms by turning off USERGROUPS and set DIR_MODE=0700 in /etc/adduser.conf

In /etc/proftpd.conf set DefaultRoot ~ users
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Apache on Debian: tips to get started? johnMG Linux - Networking 2 04-30-2005 09:34 PM
proftpd config w/ apache TruckStuff Linux - Networking 1 02-27-2004 05:59 PM
Apache and proftpd preinstalled? lonny Slackware 2 12-01-2003 12:03 PM
apache + proftpd tris Linux - Software 2 11-27-2003 05:11 PM
proftpd and apache Kaiser_Sose Linux - Software 8 01-20-2002 05:36 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 07:55 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration