#1  
Old 19th March 2012, 19:50
MaddinXx MaddinXx is offline
Senior Member
 
Join Date: Jul 2011
Location: Switzerland
Posts: 197
Thanks: 25
Thanked 62 Times in 46 Posts
Question ISPConfig Web Config Questions

Hi HowToForge Community

Today I tried to have a deeper look into the ISPConfig web configuration options and came across some options I was not able to find further information.

Therefor I thought it would be best, to post my questions here.

1) Add web users to -sshusers- group
This is activated by default.
Am I right, that this is only used in combination with Jailkit? I don't want my clients to connect to my server via SSH - so would this be one I should definitely uncheck?
Or what does this exactly?

2) Connect Linux userid to webid
This is unchecked by default.
Can someone please explain to me, what this does and what for it can be useful?

3) Make relative symlinks
This is unchecked by default.
I found some information in the manual, but there are no explanations why this is useful. Again, I would really appreciate it, if someone could explain to me.

Last but not least, Enable SNI. The hint in the manual says, that this is only needed if I want to run multiple SSL on the same IP. So if I don't plan to do this, can I safely deactivate it?

Thank you all for the help!
Regards,
MaddinXx
Reply With Quote
Sponsored Links
  #2  
Old 20th March 2012, 08:01
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,717
Thanks: 820
Thanked 5,322 Times in 4,175 Posts
Default

1) You can disable that if you dont allow ssh access.
2) This is useful for multiserver mirror setups as it ensures that the web users on all mirrored servers get the same linus uid.
3) That can be useful on customized installations which use a different folder scheme and / or external storages.

Quote:
Last but not least, Enable SNI. The hint in the manual says, that this is only needed if I want to run multiple SSL on the same IP. So if I don't plan to do this, can I safely deactivate it?
Yes.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
The Following User Says Thank You to till For This Useful Post:
MaddinXx (20th March 2012)
  #3  
Old 20th March 2012, 10:41
MaddinXx MaddinXx is offline
Senior Member
 
Join Date: Jul 2011
Location: Switzerland
Posts: 197
Thanks: 25
Thanked 62 Times in 46 Posts
Default

Hi till

Thank you for the explanations. Very kind :)

So I let everything as it was, except that I decided to allow SSH. Again, I have some questions.

I managed to get Jailkit running. However I have some security concerns.

1) Jailkit CHROOT is more secure than "NONE" CHROOT?
It's seems so. Is it?

Then, what makes me fear.

After logging in with a Jailkit account, I can see some files and folders which should not be visible/editable (I guess). I have:



/bin and all files in there seem secure to me?
/cgi-bin is empty, seems fine too?
/dev and files in there (null, tty & urandom), what is this?
/etc fear! should this dir be there? And it's content:
/home makes sense :)
/lib & /lib64 again, I have no idea what the files in there are...
/usr with subfolders /bin, /lib, /sbin & share - seems fine?
/var with a folder /run - this seems to be for MySQL?

I know this is a lot of stuff.... :)

Thank you, once again.
MaddinXx
Reply With Quote
  #4  
Old 20th March 2012, 11:15
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,717
Thanks: 820
Thanked 5,322 Times in 4,175 Posts
Default

1) Yes,jailkit is more secure. You mix up the folders here, the folders that you see in your jailkit account are not the global folders (with the same names), the folders are stripped down copies inside the jail with a minimal setup and binaries that are required to run a shell safely. So even if the jailkit user would be able to modify anything in these folders, it would not affect the server or any other website.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
The Following User Says Thank You to till For This Useful Post:
MaddinXx (20th March 2012)
  #5  
Old 20th March 2012, 11:22
MaddinXx MaddinXx is offline
Senior Member
 
Join Date: Jul 2011
Location: Switzerland
Posts: 197
Thanks: 25
Thanked 62 Times in 46 Posts
Default

Oki doki. Puh..

Very last question (I hope so) in (jailkit):

/etc/group there is:
root:x:0:
client6:x:1007:

and in /etc/passwd:
root:x:0:0:root:/root:/bin/bash
mkaeser001:x:1008:1007:::/bin/bash

Are the root entries required or is it safe to remove them? I guess the time there are more ssh users, they will all be listed...

Thank you and please apologize stealing your time.
I am still in early learning stadium.

Regards,
Michel
Reply With Quote
  #6  
Old 20th March 2012, 11:25
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,717
Thanks: 820
Thanked 5,322 Times in 4,175 Posts
 
Default

The root entry is required in the jail. If you like to know more about jails with jailkit, see jailkit homepage.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
The Following User Says Thank You to till For This Useful Post:
MaddinXx (20th March 2012)
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Dovecot v2 with ISPConfig 3 CSsab Installation/Configuration 13 13th September 2012 19:01
I'm attack brute force qb7 General 6 21st July 2012 21:34
ISPconfig 3: can't send or receive messages zogthegreat Installation/Configuration 6 22nd May 2010 14:45
ISPConfig running on default web server (port 80) geek.de.nz Installation/Configuration 3 31st March 2008 10:32
ISPConfig 2.2.14 released till General 48 19th July 2007 23:46


All times are GMT +2. The time now is 12:12.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.