[nSLUG] Securing Linux with shell users

D G Teed donald.teed at gmail.com
Thu Dec 11 14:32:11 AST 2008


On Thu, Dec 11, 2008 at 1:06 PM, Ian Campbell <ian at slu.ms> wrote:

> Most ISPs with any sense don't provide shell access anymore, given the
> difficulty of securing it properly and still providing a
> useful/pleasant service.
>
> You haven't given enough information for anyone to answer the question
> -- basically you need to enumerate (as much as possible anyway)
> everything users should be able to do with the machine, and then
> remove everything else.
>
> For example, you need to provide access to compilers, but do you need
> to provide the ability for users to run the compiled binaries, or is
> it just a compile farm? You're blocking inbound traffic except on
> given ports, but are you blocking outbound traffic? What about
> loopback traffic?
>

Some ISPs do offer shell access.  Generally they want some ID so they have
something solid on who to come after.  We have the equivalent in our case.

I didn't want to discuss excessive details of our set
up in a public forum, and I certainly don't expect
someone to do the analysis for me.  I'm mainly looking
for the checklist type of document and then I can
consider the ones that apply.  I would have thought
this exists, perhaps in a book form as I've seen
before regarding writing CGIs.  But as we've discussed
here before, print matter is becoming a rarity in IT
these days.

--Donald
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://nslug.ns.ca/mailman/private/nslug/attachments/20081211/f94cd873/attachment.html>


More information about the nSLUG mailing list