Lojic Technologies

Posts Tagged ‘sysadmin

How to Allow File Uploading Securely on Ubuntu Linux

leave a comment »

It’s foolish to use an absolute term such as securely in the context of computer security. A better title would have used the qualifier more. If you happen to be a security expert, please be so kind as to leave a comment with any tips, admonishments, etc.

The Task

I need to allow users to upload files to a web server via an SFTP client, period. I don’t want them to be able to do anything else, and I don’t want them to be able to see any files other than their own.

Configure SSH

SSH configuration is located in the /etc/ssh/sshd_config file.

I prefer to disallow the root user from logging in remotely via ssh, change yes to no for PermitRootLogin:

PermitRootLogin no

I prefer to disallow using passwords when logging in remotely, so I require the use of public keys. Change yes to no for PasswordAuthentication. Before you activate the following line, make sure you’ve setup your SSH keys properly or you may lock yourself out of your server. The short answer is to generate a public/private key pair on your local machine and place the public key (typically id_rsa.pub) in the ~/.ssh/authorized_keys file on the server, then test it by logging in via ssh – you should not be prompted for a password if successful:

PasswordAuthentication no

To allow access for these special sftp users, I change the Subsystem sftp line to be:

Subsystem sftp internal-sftp

and add the following at the very end of the config file:

Match Group sftp
        ChrootDirectory /home/%u
        PasswordAuthentication yes
        X11Forwarding no
        ForceCommand internal-sftp

The Match statement sets up a chroot jail for any user in the sftp group so that the user will only have access to their home directory. It also overrides the global rule to disallow password login so the sftp users may use the traditional means of username/password to login. It also forces them to use the sftp command instead of allowing normal shell access.

To activate these changes, restart the ssh daemon:

sudo /etc/init.d/ssh restart

Add Users

When adding users, we need to ensure they’re in the sftp group so that the Match statement in sshd_config will actually match. Alternatively, you could match on some other criteria such as username. First create the sftp group:

sudo groupadd sftp

Then add a user with that group and no shell specified:

sudo adduser --shell /bin/false --ingroup sftp brian

Conclusion

That should take care of everything. Test the new user by attempting to login via ssh:

ssh brian@10.0.0.1
brian@10.0.0.1's password:
This service allows sftp connections only.
Connection to 10.0.0.1 closed.

That should fail as shown above. Also test to see if you can view any directories outside of the users’s home directory:

sftp brian@10.0.0.1
sftp> ls /etc
Couldn't stat remote file: No such file or directory
Can't ls: "/etc" not found
sftp>

Some additional tools to enhance security:

  • shorewall firewall
  • fail2ban (locks ip addresses out for a time period after N failed attempts)
  • rkhunter (checks for root kits)
  • chkrootkit (checks for root kits)

Written by Brian Adkins

June 3, 2011 at 11:52 am

Posted in internet

Tagged with ,

Ubuntu Linux 8.04 – Wake on LAN

with 3 comments

Now that I’ve switched to a Macbook Pro with OSX Leopard as my primary desktop, I’ve located my Ubuntu machine in another part of the house to be accessible to my children. Not wanting to walk to the room where it’s located just to flip the power switch, I researched how to get “wake on LAN” working, so I could power it up remotely.

1. Enable the appropriate setting in your BIOS. Mine had something to do with wake on PCI device.

2. Install ethtool if you don’t already have it.

sudo apt-get install ethtool
cd /etc/init.d
sudo vim wakeonlanconfig

Add the following lines to that file:

#!/bin/bash
ethtool -s eth0 wol g

Install the script:

sudo update-rc.d -f wakeonlanconfig defaults

Run the script:

sudo /etc/init.d/wakeonlanconfig

3. Keep the network interface alive after shut down.

sudo vim /etc/init.d/halt

Change the following line:

halt -d -f -i $poweroff $hddown

to the following line (i.e. remove the -i)

halt -d -f $poweroff $hddown

4. Get the MAC address

ifconfig | grep HW

5. Send the magic packet via the following Ruby program:

require 'socket'
mac_addr = "x21x53x39xB3x90x42"
s = UDPSocket.new
s.setsockopt(Socket::SOL_SOCKET, Socket::SO_BROADCAST, 1)
s.send("xff"*6 + mac_addr*16, Socket::SO_BROADCAST, '10.0.0.255', 7)

Written by Brian Adkins

September 3, 2008 at 12:23 am

Use vimdiff to display subversion diffs

with 3 comments

I prefer using vimdiff or gvimdiff to view differences between files. When researching ways to allow using vimdiff to view subversion differences, I came across this article.

The bottom line is that subversion passes the two relevant arguments as the 6th and 7th arguments, so the following shell script wrapper does the trick:

#!/bin/sh
/usr/bin/gvimdiff ${6} ${7}

Save the script as gvimdiff_wrapper.sh, make it executable and accessible on your path. Then modify $HOME/.subversion/config to have the following line:

diff-cmd = gvimdiff_wrapper.sh

That will allow you to use gvimdiff to display the diff generated by svn diff my_file.txt

Written by Brian Adkins

November 27, 2007 at 10:14 am

Posted in programming

Tagged with , , ,

Web Hosting Bandwidth Constant

with one comment

  • 365.25 days per year
  • 12 months per year
  • 24 hours per day
  • 60 minutes per hour
  • 60 seconds per minute
  • 1,024 MB per GB
  • 1,024 KB per MB
  • 8 kilobits (kb) per kilobyte (KB)

Put that all together and you get the following:

3.19 (month kb) / (sec GB)

So when you see a web hosting company stating a bandwidth per month (in GB), you can multiply that by 3.19 to get a kilobits per second figure. In other words, 18 GB/month of bandwidth is the amount of bandwidth that a 56Kb modem would consume at full capacity, and 480 GB/month is roughly the same as a 1.5Mb T1 line.

Written by Brian Adkins

September 3, 2007 at 1:42 am

Posted in internet

Tagged with , ,

Etch is here

leave a comment »

Wow, debian.org has finally released version 4.0 (“etch”). debian is an awesome linux distribution for servers, but 3.1 has some rather old packages. In particular, I need Apache 2.2 for mod_proxy_balancer, so I installed Ubuntu 6.10 server on my last server to get more recent packages. I expect to use debian 4.0 for future server installs.

I found out about this from distrowatch.com and there’s a blurb on slashdot.org about it.

Written by Brian Adkins

April 8, 2007 at 11:36 pm

Posted in software

Tagged with , ,