[nSLUG] Securing Linux with shell users
D G Teed
donald.teed at gmail.com
Thu Dec 11 14:32:11 AST 2008
On Thu, Dec 11, 2008 at 1:06 PM, Ian Campbell <ian at slu.ms> wrote:
> Most ISPs with any sense don't provide shell access anymore, given the
> difficulty of securing it properly and still providing a
> useful/pleasant service.
> You haven't given enough information for anyone to answer the question
> -- basically you need to enumerate (as much as possible anyway)
> everything users should be able to do with the machine, and then
> remove everything else.
> For example, you need to provide access to compilers, but do you need
> to provide the ability for users to run the compiled binaries, or is
> it just a compile farm? You're blocking inbound traffic except on
> given ports, but are you blocking outbound traffic? What about
> loopback traffic?
Some ISPs do offer shell access. Generally they want some ID so they have
something solid on who to come after. We have the equivalent in our case.
I didn't want to discuss excessive details of our set
up in a public forum, and I certainly don't expect
someone to do the analysis for me. I'm mainly looking
for the checklist type of document and then I can
consider the ones that apply. I would have thought
this exists, perhaps in a book form as I've seen
before regarding writing CGIs. But as we've discussed
here before, print matter is becoming a rarity in IT
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the nSLUG