Giving SSH access to a user, and security issues

ssh security linux web-hosting

As a normal user your friend won't be able to do too much harm to your server (sure they could spawn off a fork bomb or fill your disk, but if they're really a friend they probably wouldn't pull a dick move like that). My friends get actual login shells on my machine if they ask for an account, and a stern lecture that if they do anything that pisses me off they'll get booted off the machine.

It sounds like you don't trust your "friend" very much, so in addition to The Rook's answer I'll also say that a halfway competent person with the ability to run a PHP script can be almost as dangerous as a user with unrestricted (login-able) SSH access, and I assume your server allows PHP. Remember that the user can run untrusted code via PHP, up to and including downloading, compiling and running other arbitrary programs on your system (albeit within the limitations of the web server user's privileges). Generally speaking unless you are chrooting/jailing your webserver anything your friend could have seen with his login shell he can see with some not-terribly-creative PHP scripting.

Bottom line: giving someone an account on your system and then locking out their shell in /etc/passwd & setting the SFTP chroot option helps, but you should really consider the security implications of any access, and your level of trust in this person.


Giving someone FTP access is one of the worst things you can do in terms of network secuirty. Worms will sniff network traffic looking for ftp and will use this to spread. I have personally cleaned up a few sites that where infected like this.

You can disable shell access to the user account in /etc/passwd, in this case ssh is only used for SFTP. You can also set the ChrootDirectory in your sshd_config file to prevent the user from access files outside of a directory tree of your choice. ChrootDirectory shouldn't be necessary, you should be using Linux's built in file access control. For instance if the file isn't owned by the user, and global privileges have been removed then that user will be unable to access the file. Use chmod 700 instead of 777. The last number is the global privileges, and 7 gives all users full access to that file. chown user:group filename is used to change the user/group that owns the file.

Related

How to tell start-stop-daemon to update $HOME and $USER accordingly to --chuid parameter
postfix uses hostname instead of myhostname
How to authorize standard users to install drivers on Windows XP
Which VM Product is right for me? (GPU Virtualization?)
Hadoop disk fail, what do you do?
Good open source proxy server software for windows server? [closed]
Frequently accessed files and I/O usage
RSA key, github keeps asking for my password
Drupal with Appearance is not able to see Theme - mystery [closed]
Intel igb driver building with checkinstall
Is it possible to generate a LetsEncrypt certificate for a private subdomain if the domain is public?
Getting error “libosinfo: Unexpected file type (0)” when trying to create or open VM in virt-manager