Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security for "Free Home Page" Linux Web Service

Posted by Cliff on from the securing-the-web-server dept.

Anonymous Coward writes "I have a couple of Web servers (running RedHat 5.0) which I'm using to offer free Web hosting on, and I've been giving the users standard accounts, the only exception being that their HOME directory is also set to their HTML directory. This means that telnet is active, as well as ftp, which I didn't consider a problem (that's how I learned, after all), but I was wrong. One of these boxes was hacked, by someone telnetting in and installing a sniffer. We've had to take the box down and scrub it clean, and before I bring it back online, I'd like to know the best way to give users relatively unfettered access to their own files via ftp, while disabling their ability to do anything else, on a box running any brand of Linux." I know we've touched on this aspect of security before in several Slashdot forums, but this question has been asked (and will be asked again) many times. I figure it may as well have its own forum for discussion.

2 of 12 comments (clear)

  1. Lynx by jfunk · · Score: 3

    You can set up Lynx as the user shell.

    There are a lot of features of Lynx that makes this a great idea. Users can upload/manage/edit files, and it can be set up to only run programs that are specifically set in Lynx. You can also disable the access to a shell in it (the keystroke is '!', I think).

    Check out the well documented system-wide lynx.cfg file. You can use TRUSTED_EXEC to limit what local commands may be run and TRUSTED_LYNXCGI to limit what local CGIs the users can run. Set SYSTEM_EDITOR to force the user to only use the editor that specifies. Uploader definitions allow uploading using rzsz or kermit though ftp appears to be safe enough (as long as you make sure the version of the daemon you're running has no known holes). KEYMAP allows you to disable certain commands (shell, and possibly goto). The DIRED_MENU definitions allow you to set what users can do in their directories (copy, move, edit, compress, etc). Yes, you can tag multiple items for file operations.

    I've seen systems with this setup and they work really well. Newbie users who are scared of CLIs will find it nice as well.

    For extra-extra security, try removing the all-execute bit for all of your regular shells and set it so that only a trusted group may execute them, just to make it *that* much harder to screw with the system.

  2. Get Help!!! by copito · · Score: 3

    Making a secure multi-user Unix box is difficult with any Unix. It requires a good clean start, perferably professionally audited, with as few services running as possible, as few setuid programs as possible, and as draconian as possible restrictions on the access and activities of users as possible. Then add robust monitoring of critical system files and users activities and be constantly vigilent to spot any abnomalities and apply security patches when vulnerabilites are discovered.

    This is a job for a professional, and since you are asking for help in this forum, you would be wise to pay for some professional assistance. If you do not wish to do this, at least follow these steps:

    First of all read the linux security HOWTO.

    Start with a minimal install of a Linux you are comfortable with. RedHat is probably ok if you use the latest version and keep up with patches. I'd consider using OpenBSD for this kind of server since it's more secure by default, but it's not better if you don't know how to administer it properly. The only visible services you should need are ftp, apache, and sshd. That means no sendmail, nfs, linuxconf, talk etc. Edit /etc/inetd.conf and comment out every line except the in.ftpd line. Edit your rc scripts and disable all nonessential services. Check yourself with nmap. Don't install X or gnome/kde since they tend to have security problems. If you must have X (or even if you don't), make sure that you don't have any setuid programs on the system. You can find them with
    find . -type f -perm ++s -print

    In fact, you can gain a little peace of mind by running the command
    chmod -R o-rwx *
    Which will remove normal user read, write, and execute permissions from every file and directory.
    Then reinstall the ftp daemon because otherwise people won't be able to list their files etc. Other things may break. Add things back as needed. For instance if you allow CGI scripting, you would need to give execute permissions on /usr/bin/perl.

    If you use wu-ftpd (default with RedHat) then add '/./' (that's slash dot slash) to the end of their home directory path in /etc/passwd. This will lock their ftp sessions in a chrooted jail.

    Secure apache with appropriate configuration. I don't recommend allowing CGI scripts, but if you do, at least use cgiwrap

    Now that you have everything setup, freeze everything except /var. This could mean, minimally, using tripwire or something of that nature to monitor file changes, but it is a very good idea to use a read only (hardware read only is the best) file system.

    Log the heck out of user activity, preferably onto a box that is not connected to the internet. Read Bugtraq religiously and follow your distributions security lists.

    And finally, get help, really. Paying somebody upfront, even if it is only to review your actions and policies is a very good idea.
    --

    --
    "L'IT c'est moi!"