On Tue, Apr 13, 2010 at 03:55, Andrew Berg <bahamutzero8825 at gmail.com> wrote: > On 4/13/2010 2:11 AM, gm5729 wrote: >> I totally hear what your saying on wanting them to be able to change >> their passwords. A script would have to be written to do so on a web >> page depending on if you can script or someone else will in the dept >> or outsource it. >> > I'm the only one who could write such a script (see below), but I don't > know any languages that would be helpful (the only languages I know > beyond a few very simple commands are Bash and batch files). I'm sure > PHP would be helpful. >> You are giving them openssl/shell access (which >> is closely related to ssh/d) by logging in on one end of a secure >> site, but wanting to deny them on the other. If you can't trust your >> users in what sounds like a business atmosphere IMHO they shouldn't >> ever be allowed access to the box. > This is a private server (remote access only since we're renting the > box) used for file transfer among friends. I trust the others not to > intentionally try to compromise or damage the system, but they're > clueless when it comes to Linux and the command line. They don't need it > and if an attacker compromised one of their accounts, he would have a > hard time doing any real damage beyond deleting all the files the user > is allowed to access (and the users are even chrooted to the common file > share directory). I'm administering it because I'm the only who has a > clue how to run Linux. I've never run a server before, so I still have > much to learn. >> With the above files you can parse >> down to who can use a cdrom drive, adn who cant, lock down all >> usb/storage. > Who can access which directories is done by Apache and the FTP daemon. > Who can access which services is done by the firewall. > > _______________________________________________ > TCLUG Mailing List - Minneapolis/St. Paul, Minnesota > tclug-list at mn-linux.org > http://mailman.mn-linux.org/mailman/listinfo/tclug-list > If you're ascripter you 3/4's of the way there. LAMP is usually == Linux Apache MySQL PerlPHP or PHP. PHP is probably the most prevelant in web applications. But BASH, SED, AWK, GAWK and PERL are the sys admins domain for languages of choice. So use each one were you feel it would be easiet. Root can only start IPTABLEs and that is usually done at boot. I run archlinux so MOST of my initializing daemons and modules are listed in /etc/rc.conf. But regardless ALL runlevel scripts are done in /etc which is locked down to root. You can chroot jail users who have shell access you know too so no one can creep back up the tree. Permissions, Permissions, Permissions.... /var/www is Root and you can limit with chroot jails, chroot jails can be assigned in ssh/d configs, PAM, a whole load of tools. I can't stress enough watch your logs. IPTABLES can go great with port knocking which adds another layer of security. Fail2Ban or SSHGUARD is another tool that adds a temporary ban to anyone hitting a port to fast in too many secs. This is good for slowing down automated scripts because they like to hit FAST and furious in brute force. LONG LONG Passphrases. If someone wants to ssh into my box. They won't get away with at least a minimum 30 charc passphrase or more! I don't follow you must change them 30 days, but they do need to be changed quickly if a person is pink slipped or transfers. Couple more ideas. Skype is secure by it's design. Even it's creators can't snoop on a P2P or conference call. Pidgin has OTR and GPG/RSA encryption available. Files transfers can be done there. THE BEST application I have ever seen that has email, P2P, file sharing, IM, Chat and is TOTALLY encrypted end to end in a GUI! This application runs on linux only that I know about and it is called RetroShare. It is all the above plus its a SERVERLESS box. The keys generated by the program "link" together each participant. So it's easy to unlink them if necessary. If I were "renting" a box I wouldn't entrust any business secrets on it unless you are running GPG, scrypt, or bcrypt. I have issues with Truecrypt and think it too complicated of an encryption application. I've had some fuse encryption go south on me as have had kernel. LUKS/DM-CRYPT are good for a whole drive. The three above I mentioned scrypt is my encryption of choice followed by bcrypt. I usually keep GPG relagated to emails because I have lost my secret key before and have had backup failures that destroyed those keys. The other two apps have their keys hashed in them so you only have to remember your passphrases. My password for my boxen as root are ~charcs or more. My $user passwds for my boxen are ~15-20 charcs. VP -- -- If there is a question to the validity of this email please phone for validation. Proudly presented by Mutt, GNUPG, Vi/m and GNU/Linux via CopyLeft. GNU/Linux is about Freedom to compute as you want and need to, and share your work unencumbered and have others do the same with you. Key : 0xD53A8E1