tir, 14 06 2011 kl. 00:12 +1000, skrev Andrew McGlashan: > Hi, > > Lars Nielsen wrote: > > I am running my own server with lenny, apache and php. Now I have > > several websites that only I are going to update. Is it fine to run > > those under the same userlogin and use virtualhosts or should I create a > > separate user for each website? > > Is it posible to maintain a secure server using a single user with > > several websites? > > Most of that which is below is probably irrelevant if only you are going > to manage each website's files, but if you want different people to be > responsible for _their_ own website, then I suggest doing as follows: > > -- create a chroot user area for each website > > -- sym link the website to the chroot area > > -- have the user create a private key with a good pass phrase and > provide you with the public key data [or you could create it for them]. > > -- if possible limit remote login of the chroot user via IP > address, insist on them having static IP access only if possible so you > can restrict this properly. > > -- add user to a group that is allowed to ssh into the server and > setup ssh sever appropriately ... [AllowGroup in /etc/ssh/sshd_config > file and restart ssh daemon], don't allow ANY user to ssh without them > belonging to the specially created ssh user group. > > With the user having their own private key and providing you with the > public key data for the ~/.ssh/authorized_keys file, you can give the > user a very long and cryptic random password that cannot be used for > access (no-one needs this password anyway). You _may_ also want to > disallow password login via ssh as well. > > Doing the above at least segregates the areas of each website and will > give more security than most setups around these days whilst still > allowing those that require access to manage their own website areas > (their own document root) as needed. > > -- > Kind Regards > AndrewM > > Andrew McGlashan > Broadband Solutions now including VoIP > > Current Land Line No: 03 9912 0504 > Mobile: 04 2574 1827 Fax: 03 9012 2178 > > National No: 1300 85 3804 > > Affinity Vision Australia Pty Ltd > http://www.affinityvision.com.au > http://adsl2choice.net.au > > In Case of Emergency -- http://www.affinityvision.com.au/ice.html > > Thank you for all your comments. It is good inspiration. I think i will work towards a solution with chroot'ed users with SCP access and I will look closer at suPHP.
:-) Thanks -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1308515393.2951.10.ca...@mp.fullrate.dk
