On Tue, Apr 13, 2010 at 03:55, Andrew Berg <bahamutzero8825 at gmail.com> wrote:
> On 4/13/2010 2:11 AM, gm5729 wrote:
>> I totally hear what your saying on wanting them to be able to change
>> their passwords. A script would have to be written to do so on a web
>> page depending on if you can script or someone else will in the dept
>> or outsource it.
>>
> I'm the only one who could write such a script (see below), but I don't
> know any languages that would be helpful (the only languages I know
> beyond a few very simple commands are Bash and batch files). I'm sure
> PHP would be helpful.
>> You are giving them openssl/shell access (which
>> is closely related to ssh/d) by logging in on one end of a secure
>> site, but wanting to deny them on the other. If you can't trust your
>> users in what sounds like a business atmosphere IMHO they shouldn't
>> ever be allowed access to the box.
> This is a private server (remote access only since we're renting the
> box) used for file transfer among friends. I trust the others not to
> intentionally try to compromise or damage the system, but they're
> clueless when it comes to Linux and the command line. They don't need it
> and if an attacker compromised one of their accounts, he would have a
> hard time doing any real damage beyond deleting all the files the user
> is allowed to access (and the users are even chrooted to the common file
> share directory). I'm administering it because I'm the only who has a
> clue how to run Linux. I've never run a server before, so I still have
> much to learn.
>> With the above files you can parse
>> down to who can use a cdrom drive, adn who cant, lock down all
>> usb/storage.
> Who can access which directories is done by Apache and the FTP daemon.
> Who can access which services is done by the firewall.
>
> _______________________________________________
> TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
> tclug-list at mn-linux.org
> http://mailman.mn-linux.org/mailman/listinfo/tclug-list
>

If you're ascripter you 3/4's of the way there. LAMP is usually ==
Linux Apache MySQL PerlPHP or PHP. PHP is probably the most prevelant
in web applications. But BASH, SED, AWK, GAWK and PERL are the sys
admins domain for languages of choice. So use each one were you feel
it would be easiet.


Root can only start IPTABLEs and that is usually done at boot. I run
archlinux so MOST of my initializing daemons and modules are listed in
/etc/rc.conf. But regardless ALL runlevel scripts are done in /etc
which is locked down to root.

You can chroot jail users who have shell access you know too so no one
can creep back up the tree. Permissions, Permissions, Permissions....

/var/www is Root and you can limit with chroot jails, chroot jails can
be assigned in ssh/d configs, PAM, a whole load of tools. I can't
stress enough watch your logs. IPTABLES can go great with  port
knocking which adds another layer of security. Fail2Ban or SSHGUARD is
another tool that adds a temporary ban to anyone hitting a port to
fast in too many secs. This is good for slowing down automated scripts
because they like to hit FAST and furious in brute force. LONG LONG
Passphrases. If someone wants to ssh into my box. They won't get away
with at least a minimum 30 charc passphrase or more! I don't follow
you must change them 30 days, but they do need to be changed quickly
if a person is pink slipped or transfers.

Couple more ideas. Skype is secure by it's design. Even it's creators
can't snoop on a P2P or conference call. Pidgin has OTR and GPG/RSA
encryption available. Files transfers can be done there.

THE BEST application I have ever seen that has email, P2P, file
sharing, IM, Chat and is TOTALLY encrypted end to end in a GUI! This
application runs on linux only that I know about and it is called
RetroShare. It is all the above plus its a SERVERLESS box. The keys
generated by the program "link" together each participant. So it's
easy to unlink them if necessary. If I were "renting" a box I wouldn't
entrust any business secrets on it unless you are running GPG, scrypt,
or bcrypt. I have issues with Truecrypt and think it too complicated
of an encryption application. I've had some fuse encryption go south
on me as have had kernel. LUKS/DM-CRYPT are good for a whole drive.
The three above I mentioned scrypt is my encryption of choice followed
by bcrypt. I usually keep GPG relagated to emails because I have lost
my secret key before and have had backup failures that destroyed those
keys. The other two apps have their keys hashed in them so you only
have to remember your passphrases. My password for my boxen as root
are ~charcs or more. My $user passwds for my boxen are ~15-20 charcs.

VP

-- 
-- 
If there is a question to the validity of this email please phone for
validation. Proudly presented by Mutt, GNUPG, Vi/m and GNU/Linux via
CopyLeft. GNU/Linux is about Freedom to compute as you want and need
to, and share your work unencumbered and have others do the same with
you. Key :  0xD53A8E1