How to harden a VPN?
October 11, 2010 4:42 PM Subscribe
Tips for hardening a VPN running Ubuntu 10.04 LTS? Config tips to make things efficient?
It's running apache2, mysql, and php5.
It's a Linode VPN with 512mb RAM, running the 32-bit version of the Ubuntu. SSH is set up.
Exim has been installed for e-mail, configured to send mail only (I won't be using the server to receive e-mail). Suhosin has been installed.
What needs to be done? Assume near-default config values for these things.
Are there any step-by-step guide for locking down a user, so that they can SSH in and only be able to view their home directory?
Which of these PHP accelerators should I install (and how should it be configured)?
It's running apache2, mysql, and php5.
It's a Linode VPN with 512mb RAM, running the 32-bit version of the Ubuntu. SSH is set up.
Exim has been installed for e-mail, configured to send mail only (I won't be using the server to receive e-mail). Suhosin has been installed.
What needs to be done? Assume near-default config values for these things.
Are there any step-by-step guide for locking down a user, so that they can SSH in and only be able to view their home directory?
Which of these PHP accelerators should I install (and how should it be configured)?
Response by poster: It sounds like you're talking about a VPS (virtual private server), not a VPN.
Whoops. Er, yeah. That.
Are you sure that's what you want? I mean, presumably the users need to be able to run binaries in /bin and /usr/bin and load libraries from the equivalent lib directories, etc., right? Who are these users and what constitutes legitimate use for them?
Just friends with websites on the server. I'd like to restrict them from seeing anything below their home directory when they telnet in or use SFTP. Their files/sites would be in a subdirectory of their home directory.
In my head, I envision them running anything from the command line they would otherwise be able to run, they just can't navigate below their home directory. Is that a thing that can be made to happen?
posted by jsturgill at 5:00 PM on October 11, 2010
Whoops. Er, yeah. That.
Are you sure that's what you want? I mean, presumably the users need to be able to run binaries in /bin and /usr/bin and load libraries from the equivalent lib directories, etc., right? Who are these users and what constitutes legitimate use for them?
Just friends with websites on the server. I'd like to restrict them from seeing anything below their home directory when they telnet in or use SFTP. Their files/sites would be in a subdirectory of their home directory.
In my head, I envision them running anything from the command line they would otherwise be able to run, they just can't navigate below their home directory. Is that a thing that can be made to happen?
posted by jsturgill at 5:00 PM on October 11, 2010
In my head, I envision them running anything from the command line they would otherwise be able to run, they just can't navigate below their home directory. Is that a thing that can be made to happen?
Far from an expert on this, but every web server I've ever been on has let me navigate and view files below my home directory. I haven't been able to look in other home directories. I can't change anything outside my home directory. But I can view / execute, and that's a necessary function of the system. What are you worried they would be seeing? Sounds like security-through-obscurity to me.
posted by Jimbob at 5:27 PM on October 11, 2010
Far from an expert on this, but every web server I've ever been on has let me navigate and view files below my home directory. I haven't been able to look in other home directories. I can't change anything outside my home directory. But I can view / execute, and that's a necessary function of the system. What are you worried they would be seeing? Sounds like security-through-obscurity to me.
posted by Jimbob at 5:27 PM on October 11, 2010
You're looking to chroot your users. Note that this is not proof against a sophisticated attacker.
I haven't tried these instructions, so I can vouch for them. It came up with a googled for "chroot user ubuntu".
http://www.howtoforge.com/chroot_ssh_sftp_debian_etch
posted by chengjih at 5:27 PM on October 11, 2010
I haven't tried these instructions, so I can vouch for them. It came up with a googled for "chroot user ubuntu".
http://www.howtoforge.com/chroot_ssh_sftp_debian_etch
posted by chengjih at 5:27 PM on October 11, 2010
I think not giving users read permissions to system directories like /usr, /lib, /bin, and /etc is going to break a ton of stuff on any Linux-based system. However, by default users won't be able to change anything outside their home directories — that access will be read-only.
You probably do want to make sure the permissions for new users' home directories are such that other users can't see anything within them. I think that in Ubuntu home directories are world-readable by default which is definitely not what you want. See here for how to change this default and how to modify these permissions for already-existing user directories (scroll down to "User Profile Security").
And, of course, if you have specific things you want to make sure are not readable by everybody (like MySQL's disk store) you can modify the permissions for those parts of the filesystem.
posted by enn at 5:28 PM on October 11, 2010
You probably do want to make sure the permissions for new users' home directories are such that other users can't see anything within them. I think that in Ubuntu home directories are world-readable by default which is definitely not what you want. See here for how to change this default and how to modify these permissions for already-existing user directories (scroll down to "User Profile Security").
And, of course, if you have specific things you want to make sure are not readable by everybody (like MySQL's disk store) you can modify the permissions for those parts of the filesystem.
posted by enn at 5:28 PM on October 11, 2010
If you really want to lock down your users and only allow them access to a particular directory via SFTP, and not allow interactive login via SSH, you can use SFTP jail.
posted by zsazsa at 5:42 PM on October 11, 2010
posted by zsazsa at 5:42 PM on October 11, 2010
Response by poster: You're looking to chroot your users.
Thanks for the term. That helps.
I think that in Ubuntu home directories are world-readable by default which is definitely not what you want.
Also good to know.
Any experience with php accelerators?
posted by jsturgill at 6:38 PM on October 11, 2010
Thanks for the term. That helps.
I think that in Ubuntu home directories are world-readable by default which is definitely not what you want.
Also good to know.
Any experience with php accelerators?
posted by jsturgill at 6:38 PM on October 11, 2010
Also, firewall everything off, then allow incoming ssh/http/https. You don't want an accidental config change to expose your mail server to the world, and you don't want users starting their own publicly-available services, accidentally or otherwise.
posted by jrockway at 1:48 AM on October 12, 2010
posted by jrockway at 1:48 AM on October 12, 2010
This thread is closed to new comments.
Are there any step-by-step guide for locking down a user, so that they can SSH in and only be able to view their home directory?
Are you sure that's what you want? I mean, presumably the users need to be able to run binaries in /bin and /usr/bin and load libraries from the equivalent lib directories, etc., right? Who are these users and what constitutes legitimate use for them?
In general I'd disable root login in your sshd_config. If its feasible with your users, disable all password logins and only allow SSH key authentication.
posted by enn at 4:51 PM on October 11, 2010