linux - multiuser centOS server with restricted access
2014-07
I need to configure centOS server for multiple users. Every user must be restricted to homedir, have ssh access and be able to copy/move files.
So i found a multiple solutions for this task: chroot jail, rbash and something called virtualization. But i couldn't find why i should use one instead another.
Im asking for help with basic information about this, maybe some links or any other suggestions. Thanks
I have written a simple server application (with an HTTP interface). I want to ensure that only calls from the local machine are processed - i.e. I want to prevent outsiders from accessing/using my server.
How may I restrict outsiders (i.e. requests from remote machines)?
BTW, I am deploying on Linux
The other answers assume you've written a CGI/modular apache application - I'll assume you've written your own custom application that also listens on port 80, for purposes of administration.
On a Linux box, the simplest method (not involving having to write your own .htaccess ACL system or similar), is to use iptables to prevent anything but local access to your port of choice:
iptables -A INPUT -p tcp --dport 80 -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
Obviously this is better served to put into an init script that will load on boot, and could potentially be made more robust, but for your current limited purposes as defined, this should do the job. :)
try adding an .htaccess (into your web application) file where you specify something like:
allow from 192.168.1.
or whatever ip patter for the local url you're using (also 127.0.0.1 should be a valid one).
Under Apache, you can do this quite simply through the use of .htaccess
files. There are some examples of restricting access by IP address on this website.
To disallow outside connections and make it only accessible to the localhost:
order deny,allow
deny from all
allow from 127.0.0.1
Just make sure you specify order deny,allow
so that deny
takes precedence. Also be sure to specify deny from all
so that all other IPs are forbidden to access the application.
You can also specify an address range in the last line by omitting the last number group.
You're looking to 'bind()' the listening socket you open to a specific IP address. If you bind to the loopback address, then only programs on the local machine will be able to connect (the localhost network is never routed outside of a given machine)
This will be simpler than a firewalling configuration because it is completely self contained within your program and because it is portable.