Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 2 > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 17th May 2006, 23:45
Norman Norman is offline
HowtoForge Supporter
 
Join Date: May 2006
Posts: 242
Thanks: 0
Thanked 17 Times in 14 Posts
Default Hardening the system without breaking ISPConfig

First of all, I'll list what I want to do and proceed with the issues I've encountered.

Needs:
- Prevent users from reading eachothers directories and subdirectories. <- Is this solvable without implementing ssh chroot?
- Diskquotas reportable by "quota"

Tests:
chmod 711 /var/www/web* <- will prevent people from listing the initial subdirectories however it will not prevent people to pry into subdirectories with lax chmod like 755 etc.
chmod 700 /var/www/web* <- will do some extra work but will prevent apache from displaying the sites.

Setting either of these chmod's will break ispconfig's ability to see disk statistics for the users. Even if the sudo option for du is activated in ispconfig's configuration-file.

Also if quota is activated on the system it doesnt seem to use diskquotas for the users? how so?
__________________
http://www.xh.se
Reply With Quote
Sponsored Links
  #2  
Old 18th May 2006, 08:17
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,446
Thanks: 813
Thanked 5,216 Times in 4,089 Posts
Default

Quote:
Originally Posted by Norman
Setting either of these chmod's will break ispconfig's ability to see disk statistics for the users. Even if the sudo option for du is activated in ispconfig's configuration-file.
If you configured du to be executed with root priveliges via sudo, the statistics are correct. You can test if your configuration is correct by running:

su admispconfig
sudo du -h --max-depth=1 /home/www/web1

Quote:
Also if quota is activated on the system it doesnt seem to use diskquotas for the users? how so?
Have you enabled quotas for all partitions where userdata is stored?
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #3  
Old 29th August 2006, 06:33
Dave Lane Dave Lane is offline
Junior Member
 
Join Date: Mar 2006
Location: Christchurch, New Zealand
Posts: 9
Thanks: 0
Thanked 1 Time in 1 Post
Send a message via ICQ to Dave Lane
Default Hardening ISPConfig

Hi Till and Falko,

We're very happy with ISPConfig, and would like to thank you guys for making it available to us! At this point, we are keen to "harden" our servers running ISPConfig and would like to do, as Norman suggests, a chmod 750 on /home/www/* to prevent other clients (and their users) from accessing any other client directory...

As Norman points out, however, this breaks access for Apache (running as user www-data on our Ubuntu system). We notice that any new web?? group automatically includes the admispconfig user - how could we also automatically include the user www-data? We've grepped the ISPConfig code looking for hints, but haven't found the right place... Any suggestions would be greatly appreciated.

Kind regards,

Dave
Reply With Quote
  #4  
Old 29th August 2006, 08:13
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,446
Thanks: 813
Thanked 5,216 Times in 4,089 Posts
Default

The admispconfig user is added to the group of the web in line 1101 in the file /root/ispconfig/scripts/config.lib.php
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #5  
Old 29th August 2006, 12:32
Ovidiu Ovidiu is offline
Senior Member
 
Join Date: Sep 2005
Posts: 1,257
Thanks: 75
Thanked 22 Times in 18 Posts
Default

anyone tried using bastille for hardening?
Reply With Quote
  #6  
Old 29th August 2006, 21:44
Dave Lane Dave Lane is offline
Junior Member
 
Join Date: Mar 2006
Location: Christchurch, New Zealand
Posts: 9
Thanks: 0
Thanked 1 Time in 1 Post
Send a message via ICQ to Dave Lane
Default Bastille hardening

Hi Tenaka,

Yesterday we installed Bastille on our Ubuntu server (via APT) in addition to the Bastille firewall provided by ISPConfig. We configured it for everything but the firewall - but as yet, we haven't applied stricter permissions (via the umask) on the user directories yet as doing so would block the webserver from serving up user web accounts... Fixing that requires a minor hack on ISPConfig to ensure that the Apache user (in our case www-data) is included in each customer group. We're working on that.
Cheers,

Dave
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
ERROR: The PHP binary coming with ISPConfig does not work properly on your system! qvindesland Installation/Configuration 22 21st May 2007 16:05
SP-Server Setup - Ubuntu 5.10 "Breezy Badger" - Page 6 (changes) LuisC-SM HOWTO-Related Questions 0 21st April 2006 15:16
The PHP binary coming with ISPConfig does not work properly on your system! lykos Installation/Configuration 3 1st April 2006 07:53
ERROR: The PHP binary coming with ISPConfig does not work properly on your system! xinefnarg Installation/Configuration 2 28th March 2006 16:45
ISPConfig system stoped johnking Installation/Configuration 7 27th October 2005 02:37


All times are GMT +2. The time now is 04:03.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.