Have to lock down that Linux server so sure distant customers can solely entry a selected listing and just for file add and obtain functions? Jack Wallen reveals you ways.
When you might have a server with SSH entry, except you’ve got configured it in any other case, any person with an account on that system can log in and, if they’ve the permissions and ability, wreak havoc in your server.
SEE: 40+ open supply and Linux phrases it’s essential know (TechRepublic Premium)
You don’t need that.
What you are able to do is limit these customers with a chroot jail. By doing this you severely restrict what these customers can do in your system. In truth, any person who is proscribed to a chroot jail can:
- Solely entry the server by way of sftp
- Solely entry a selected listing
It is a nice safety addition to your Linux servers, and when you require such a use case, think about it a must-do. That is particularly necessary when you’ve got a server that homes delicate information and you don’t need customers even viewing these recordsdata and folders.
This setup is not all that difficult. In truth, the configuration is way simpler than discovering methods to deploy the function. However on these events once you do have to severely limit what a person can entry in your Linux servers, that is one sure-fire manner of doing so.
What you may want
To make this work, you may want a operating occasion of Linux and a person with sudo privileges. That is it. Let’s make some safety magic.
Find out how to create a restricted group and add customers on a Linux server
The very first thing we should do is create a brand new group and add customers to it. Create the group with:
sudo groupadd restricted
Subsequent, add a person to the group with the command:
sudo usermod -g restricted USERNAME
The place USERNAME is the person you wish to add to the restricted group.
SEE: Linux turns 30: Celebrating the open supply working system (free PDF) (TechRepublic)
Find out how to configure SSH
Open the SSH daemon configuration file with:
sudo nano /and many others/ssh/sshd_config
Search for the road (close to the underside):
Subsystem sftp /usr/lib/openssh/sftp-server
Change that line to:
Subsystem sftp internal-sftp
On the backside of the file, add the next:
Match group restricted ChrootDirectory /residence/ ForceCommand internal-sftp AllowTcpForwarding no X11Forwarding no
Save and shut the file. Restart SSH with:
sudo systemctl restart ssh
Now, return to a different machine and try and SSH into the server with the person, resembling:
You may see the warning:
This service permits sftp connections solely. Connection to 192.168.1.147 closed.
To ensure that any person within the restricted group to log into the server, they need to use sftp like so:
The place USERNAME is the username and SERVER is the IP tackle or area of the server. As soon as they efficiently log in, they’re going to be on the sftp immediate the place they’ll switch recordsdata forwards and backwards with the put and get instructions. These restricted customers can solely add recordsdata to their residence directories. When a restricted person initially logs in, they’re going to be within the /residence listing. So, to efficiently add, they must turn into their residence listing with a command like:
As soon as of their residence listing, they’ll then difficulty a command like:
So long as that file is within the present working listing of the machine they logged into the server from, it will add simply tremendous. If these customers solely have to obtain recordsdata to their native machine, they’d use a command like:
I understand this can be a very limiting configuration with very restricted use instances, however sooner or later in your Linux admin profession, you are going to run into an occasion the place it’s essential restrict customers to logging right into a chroot jail. That is one option to do it.
Subscribe to TechRepublic’s How To Make Tech Work on YouTube for all the newest tech recommendation for enterprise execs from Jack Wallen.