ISPConfig Web Config Questions

Discussion in 'Installation/Configuration' started by MaddinXx, Mar 19, 2012.

  1. MaddinXx

    MaddinXx Member

    Hi HowToForge Community

    Today I tried to have a deeper look into the ISPConfig web configuration options and came across some options I was not able to find further information.

    Therefor I thought it would be best, to post my questions here.

    1) Add web users to -sshusers- group
    This is activated by default.
    Am I right, that this is only used in combination with Jailkit? I don't want my clients to connect to my server via SSH - so would this be one I should definitely uncheck?
    Or what does this exactly?

    2) Connect Linux userid to webid
    This is unchecked by default.
    Can someone please explain to me, what this does and what for it can be useful?

    3) Make relative symlinks
    This is unchecked by default.
    I found some information in the manual, but there are no explanations why this is useful. Again, I would really appreciate it, if someone could explain to me.

    Last but not least, Enable SNI. The hint in the manual says, that this is only needed if I want to run multiple SSL on the same IP. So if I don't plan to do this, can I safely deactivate it?

    Thank you all for the help!
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    1) You can disable that if you dont allow ssh access.
    2) This is useful for multiserver mirror setups as it ensures that the web users on all mirrored servers get the same linus uid.
    3) That can be useful on customized installations which use a different folder scheme and / or external storages.

  3. MaddinXx

    MaddinXx Member

    Hi till

    Thank you for the explanations. Very kind :)

    So I let everything as it was, except that I decided to allow SSH. Again, I have some questions.

    I managed to get Jailkit running. However I have some security concerns.

    1) Jailkit CHROOT is more secure than "NONE" CHROOT?
    It's seems so. Is it?

    Then, what makes me fear.

    After logging in with a Jailkit account, I can see some files and folders which should not be visible/editable (I guess). I have:


    /bin and all files in there seem secure to me?
    /cgi-bin is empty, seems fine too?
    /dev and files in there (null, tty & urandom), what is this?
    /etc fear! should this dir be there? And it's content: [​IMG]
    /home makes sense :)
    /lib & /lib64 again, I have no idea what the files in there are...
    /usr with subfolders /bin, /lib, /sbin & share - seems fine?
    /var with a folder /run - this seems to be for MySQL?

    I know this is a lot of stuff.... :)

    Thank you, once again.
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    1) Yes,jailkit is more secure. You mix up the folders here, the folders that you see in your jailkit account are not the global folders (with the same names), the folders are stripped down copies inside the jail with a minimal setup and binaries that are required to run a shell safely. So even if the jailkit user would be able to modify anything in these folders, it would not affect the server or any other website.
  5. MaddinXx

    MaddinXx Member

    Oki doki. Puh.. :)

    Very last question (I hope so) in (jailkit):

    /etc/group there is:

    and in /etc/passwd:

    Are the root entries required or is it safe to remove them? I guess the time there are more ssh users, they will all be listed...

    Thank you and please apologize stealing your time.
    I am still in early learning stadium.

  6. till

    till Super Moderator Staff Member ISPConfig Developer

    The root entry is required in the jail. If you like to know more about jails with jailkit, see jailkit homepage.
  7. MQuintana

    MQuintana New Member

    I use this tutorial

    My topology: 2 Servers with ispconfig 3.
    Server1 - Active web interface
    Server2 - Disable web interface

    Server2 is mirror of Server Server1.
    Server2 have check Connect Linux userid to webid.

    I have multiserver mirror implemented, and check Connect Linux userid to webid in my Server2, but the ftp users are not replicate in my Server2, and when restart apache2 receive the error apache2: bad user name web13. In the Server1 not have this problem, because create correctly the users.

    Server2 Errors

    service apache2 restart
    apache2: bad user name web13
    Action 'configtest' failed.
    The Apache error log may have more information.

    apache error.log
    [email protected]:/home/mqciqa# tail -f /var/log/apache2/error.log
    [Wed Apr 20 20:22:26 2016] [error] [client] File does not exist: /var/www/bluecar
    [Wed Apr 20 20:22:29 2016] [error] [client] File does not exist: /var/www/bluecar
    [Wed Apr 20 20:29:58 2016] [error] [client] File does not exist: /var/www/bluecar
    [Wed Apr 20 20:30:47 2016] [error] [client] File does not exist: /var/www/bluecar
    [Wed Apr 20 20:30:48 2016] [error] [client] File does not exist: /var/www/bluecar
    [Wed Apr 20 20:32:30 2016] [error] [client] client denied by server configuration: /var/www/clients/client5/web13/web/bluecar/
    [Wed Apr 20 20:41:07 2016] [error] [client] client denied by server configuration: /var/www/clients/client5/web13/web/bluecar/
    [Wed Apr 20 20:51:59 2016] [error] [client] client denied by server configuration: /var/www/clients/client5/web13/web/bluecar/
    [Thu Apr 21 00:17:22 2016] [error] [client] File does not exist: /var/www/zecmd
    [Thu Apr 21 00:52:13 2016] [notice] caught SIGTERM, shutting down

Share This Page