Fri. Jan 21st, 2022


Have to lock down that Linux server so sure distant customers can solely entry a selected listing and just for file add and obtain functions? Jack Wallen reveals you ways.

View of a Server room data center - 3d rendering

Picture: Manufacturing Perig/Shutterstock

When you might have a server with SSH entry, except you’ve got configured it in any other case, any person with an account on that system can log in and, if they’ve the permissions and ability, wreak havoc in your server.

SEE: 40+ open supply and Linux phrases it’s essential know (TechRepublic Premium)

You don’t need that. 

What you are able to do is limit these customers with a chroot jail. By doing this you severely restrict what these customers can do in your system. In truth, any person who is proscribed to a chroot jail can:

  1. Solely entry the server by way of sftp
  2. Solely entry a selected listing

It is a nice safety addition to your Linux servers, and when you require such a use case, think about it a must-do. That is particularly necessary when you’ve got a server that homes delicate information and you don’t need customers even viewing these recordsdata and folders.

This setup is not all that difficult. In truth, the configuration is way simpler than discovering methods to deploy the function. However on these events once you do have to severely limit what a person can entry in your Linux servers, that is one sure-fire manner of doing so.

What you may want

To make this work, you may want a operating occasion of Linux and a person with sudo privileges. That is it. Let’s make some safety magic.

Find out how to create a restricted group and add customers on a Linux server

The very first thing we should do is create a brand new group and add customers to it. Create the group with:

sudo groupadd restricted

Subsequent, add a person to the group with the command:

sudo usermod -g restricted USERNAME

The place USERNAME is the person you wish to add to the restricted group.

SEE: Linux turns 30: Celebrating the open supply working system (free PDF) (TechRepublic)

Find out how to configure SSH

Open the SSH daemon configuration file with:

sudo nano /and many others/ssh/sshd_config

Search for the road (close to the underside):

Subsystem sftp  /usr/lib/openssh/sftp-server

Change that line to:

Subsystem sftp internal-sftp

On the backside of the file, add the next:

Match group restricted
  ChrootDirectory /residence/
  ForceCommand internal-sftp
  AllowTcpForwarding no
  X11Forwarding no

Save and shut the file. Restart SSH with:

sudo systemctl restart ssh

Now, return to a different machine and try and SSH into the server with the person, resembling:

ssh olivia@192.168.1.147

You may see the warning:

This service permits sftp connections solely.
Connection to 192.168.1.147 closed.

To ensure that any person within the restricted group to log into the server, they need to use sftp like so:

sftp USERNAME@SERVER

The place USERNAME is the username and SERVER is the IP tackle or area of the server. As soon as they efficiently log in, they’re going to be on the sftp immediate the place they’ll switch recordsdata forwards and backwards with the put and get instructions. These restricted customers can solely add recordsdata to their residence directories. When a restricted person initially logs in, they’re going to be within the /residence listing. So, to efficiently add, they must turn into their residence listing with a command like:

cd olivia

As soon as of their residence listing, they’ll then difficulty a command like:

put file1

So long as that file is within the present working listing of the machine they logged into the server from, it will add simply tremendous. If these customers solely have to obtain recordsdata to their native machine, they’d use a command like:

get file1

I understand this can be a very limiting configuration with very restricted use instances, however sooner or later in your Linux admin profession, you are going to run into an occasion the place it’s essential restrict customers to logging right into a chroot jail. That is one option to do it. 

Subscribe to TechRepublic’s How To Make Tech Work on YouTube for all the newest tech recommendation for enterprise execs from Jack Wallen.

Additionally see



Source link

By admin

Leave a Reply

Your email address will not be published. Required fields are marked *