linux - multiuser centOS server with restricted access

07
2014-07
  • kabukiman

    I need to configure centOS server for multiple users. Every user must be restricted to homedir, have ssh access and be able to copy/move files.

    So i found a multiple solutions for this task: chroot jail, rbash and something called virtualization. But i couldn't find why i should use one instead another.

    Im asking for help with basic information about this, maybe some links or any other suggestions. Thanks

    • Answers
    Know someone who can answer? Share a link to this question via email, Google+, Twitter, or Facebook.

    Related Question

    linux - How to restrict access to a server application
  • Takashi

    I have written a simple server application (with an HTTP interface). I want to ensure that only calls from the local machine are processed - i.e. I want to prevent outsiders from accessing/using my server.

    How may I restrict outsiders (i.e. requests from remote machines)?

    BTW, I am deploying on Linux


    • Related Answers
  • Tom Wijsman

    The other answers assume you've written a CGI/modular apache application - I'll assume you've written your own custom application that also listens on port 80, for purposes of administration.

    On a Linux box, the simplest method (not involving having to write your own .htaccess ACL system or similar), is to use iptables to prevent anything but local access to your port of choice:

    iptables -A INPUT -p tcp --dport 80 -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP

    Obviously this is better served to put into an init script that will load on boot, and could potentially be made more robust, but for your current limited purposes as defined, this should do the job. :)

  • Ghidello

    try adding an .htaccess (into your web application) file where you specify something like:
    allow from 192.168.1.
    or whatever ip patter for the local url you're using (also 127.0.0.1 should be a valid one).

  • Paul Lammertsma

    Under Apache, you can do this quite simply through the use of .htaccess files. There are some examples of restricting access by IP address on this website.

    To disallow outside connections and make it only accessible to the localhost:

    order deny,allow
deny from all
allow from 127.0.0.1

    Just make sure you specify order deny,allow so that deny takes precedence. Also be sure to specify deny from all so that all other IPs are forbidden to access the application.

    You can also specify an address range in the last line by omitting the last number group.

  • Slartibartfast

    You're looking to 'bind()' the listening socket you open to a specific IP address. If you bind to the loopback address, then only programs on the local machine will be able to connect (the localhost network is never routed outside of a given machine)

    This will be simpler than a firewalling configuration because it is completely self contained within your program and because it is portable.