1

If I provide SSH access to users who has paid webhosting service, what security measures should be applied ?

What I can think of:

  • SSH keys RSA of 4096 size (shall be secure for a while)
  • Apache MPM-ITK (separating each domain/subdomain) via separate user/group according to business (who paid for which service)
  • Permissions to each web root (0750) recursively
  • Checking for dangerous/invalid SUID/SGID binaries in $PATH
  • umask (027) so new files are covered by default

Similar answer is Securing restricted shell environments, but in my opinion doesn't cover the specific use-case of mine.

Community
  • 1
Marek Sebera
  • 2,233
  • 3
  • 21
  • 27

1 Answers1

1

why do you want to provide shell-access? if it is something like services-restart or defined task that might be executed via scripts, use a simple, shell-based task-manager that allows only defined actions (or better, use a tool like rundesk/jenkins to provide the same tasks to you clients via webinterface)

if you need full shell-access, well, either chroot or live with the consequences :)

regardings ssh:

  • make sure your keys are pw-protected
  • generate keys yourself, if you can
  • forbid pw-login
  • put ssh onto another port if possible
  • use sudo and tight NOPASSWD - definitions, e.g restrict to /etc/init.d/apache reload instead of /etc/init.d/apache2 which would allow stop too

your umask 027 might break stuff, expecially if you allow fileupload via scp.

that guy from over there
  • 3,494
  • 18
  • 28