[Chugalug] Running multi sites on one(non virt) machine
chevyiinova at bellsouth.net
Mon Mar 17 14:21:53 UTC 2014
give each sftp user their own chroot folder
From: David White <dwrudy at gmail.com>
To: Chattanooga Unix Gnu Android Linux Users Group <chugalug at chugalug.org>
Sent: Monday, March 17, 2014 9:55 AM
Subject: Re: [Chugalug] Running multi sites on one(non virt) machine
I'm digging up an old thread. Originally, I searched my Chugalug archives for OSSEC, but this email thread (ironically) brings up the real reason I was searching for OSSEC - figuring out a better way to secure my shared webserver infrastructure.
Because right now, the single shared server I operate is anything but secure other than a few scripts monitoring for file hash changes and having password auth turned off, only relying on key-based auth, and blocking IP addresses that repeatedly try to brute force the machine (I also manage dedicated servers which is obviously much more preferable, security-wise).
I really need a way to separate permissions and visibility from 1 user's directory to another's (user X shouldn't be able to see user Y's stuff when they login via sFTP). Even though I have my user's stuff separated in different directories, any user - if they wanted to and knew how, could navigate up the directory tree and then over into another user's folder.
Permissions are set so that they can't actually edit the files, but reading the files is bad enough... This has always been in the back of my mind as an issue I need to deal with - and I hate cPanel, and refuse to use it.
I'll take a look at the Webmin idea, as well as Apache vhosts... I think I remember looking into that a year or two ago, and not getting anywhere with it. I'll try another attempt.
On Mon, Jun 24, 2013 at 10:50 AM, Matt Keys <mk6032 at yahoo.com> wrote:
Thanks for the tip on etckeeper! Tripwire / OSSEC hash files and tell you if the hash has changed but they don't give you the actual change. This should work much better!
>On 06/23/2013 02:52 PM, Jason Brown wrote:
>I like the way virtualmin (A webmin addon) handles this, even if I don't always use the software. You can use it for configuration, then shut it down when not needed if it's overhead is in the way.
>>In short, each website / apache virtual host gets it's own user,
unless it is a sub-server under and existing user. It's a good
data segmentation model.
>>For web site setup operations it is also a useful learning tool,
change an option and see what it did in the configuration
file(s). etckeeper + git is your friend here.
>Chugalug mailing list
>Chugalug at chugalug.org
Founder & CEO
Computing, Equipping, Networking, Training & Supporting
Nonprofit Organizations Worldwide
Chugalug mailing list
Chugalug at chugalug.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Chugalug