HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   Installation/Configuration (http://www.howtoforge.com/forums/forumdisplay.php?f=27)
-   -   ISPConfig Web Config Questions (http://www.howtoforge.com/forums/showthread.php?t=56609)

MaddinXx 19th March 2012 20:50

ISPConfig Web Config Questions
 
Hi HowToForge Community

Today I tried to have a deeper look into the ISPConfig web configuration options and came across some options I was not able to find further information.

Therefor I thought it would be best, to post my questions here.

1) Add web users to -sshusers- group
This is activated by default.
Am I right, that this is only used in combination with Jailkit? I don't want my clients to connect to my server via SSH - so would this be one I should definitely uncheck?
Or what does this exactly?

2) Connect Linux userid to webid
This is unchecked by default.
Can someone please explain to me, what this does and what for it can be useful?

3) Make relative symlinks
This is unchecked by default.
I found some information in the manual, but there are no explanations why this is useful. Again, I would really appreciate it, if someone could explain to me.

Last but not least, Enable SNI. The hint in the manual says, that this is only needed if I want to run multiple SSL on the same IP. So if I don't plan to do this, can I safely deactivate it?

Thank you all for the help!
Regards,
MaddinXx

till 20th March 2012 09:01

1) You can disable that if you dont allow ssh access.
2) This is useful for multiserver mirror setups as it ensures that the web users on all mirrored servers get the same linus uid.
3) That can be useful on customized installations which use a different folder scheme and / or external storages.

Quote:

Last but not least, Enable SNI. The hint in the manual says, that this is only needed if I want to run multiple SSL on the same IP. So if I don't plan to do this, can I safely deactivate it?
Yes.

MaddinXx 20th March 2012 11:41

Hi till

Thank you for the explanations. Very kind :)

So I let everything as it was, except that I decided to allow SSH. Again, I have some questions.

I managed to get Jailkit running. However I have some security concerns.

1) Jailkit CHROOT is more secure than "NONE" CHROOT?
It's seems so. Is it?

Then, what makes me fear.

After logging in with a Jailkit account, I can see some files and folders which should not be visible/editable (I guess). I have:

http://www.IMG-Teufel.de/thumbs/Bild...c4e9003png.png

/bin and all files in there seem secure to me?
/cgi-bin is empty, seems fine too?
/dev and files in there (null, tty & urandom), what is this?
/etc fear! should this dir be there? And it's content: http://www.IMG-Teufel.de/thumbs/Bild...213ea57png.png
/home makes sense :)
/lib & /lib64 again, I have no idea what the files in there are...
/usr with subfolders /bin, /lib, /sbin & share - seems fine?
/var with a folder /run - this seems to be for MySQL?

I know this is a lot of stuff.... :)

Thank you, once again.
MaddinXx

till 20th March 2012 12:15

1) Yes,jailkit is more secure. You mix up the folders here, the folders that you see in your jailkit account are not the global folders (with the same names), the folders are stripped down copies inside the jail with a minimal setup and binaries that are required to run a shell safely. So even if the jailkit user would be able to modify anything in these folders, it would not affect the server or any other website.

MaddinXx 20th March 2012 12:22

Oki doki. Puh.. :)

Very last question (I hope so) in (jailkit):

/etc/group there is:
root:x:0:
client6:x:1007:

and in /etc/passwd:
root:x:0:0:root:/root:/bin/bash
mkaeser001:x:1008:1007:::/bin/bash

Are the root entries required or is it safe to remove them? I guess the time there are more ssh users, they will all be listed...

Thank you and please apologize stealing your time.
I am still in early learning stadium.

Regards,
Michel

till 20th March 2012 12:25

The root entry is required in the jail. If you like to know more about jails with jailkit, see jailkit homepage.


All times are GMT +2. The time now is 08:28.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.