How to Secure this box configuration?
This is a discussion on How to Secure this box configuration? within the Linux Security forums, part of the System Security and Security Related category; I am using Slack v10.0, kernel 2.4.26, sendmail 8.12.11. On sendmail, I am using virtusertable ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
09-01-2004
|
|||
|
|||
How to Secure this box configuration?
I am using Slack v10.0, kernel 2.4.26, sendmail 8.12.11.
On sendmail, I am using virtusertable for a few domains. My users are in /etc/passwd. Access are via POP3 and webmail (squirrelmail 1.4.3a). Users managed their password, vacation msg via usermin. Everything above works. Now, how to secure it from shell access? BTW: I have disabled most of the unwanted daemon, only port 22,25,80,110,143,443,20000 (usermin) are opened. Questions: 1 - How can I prevent shell access but still allow email access? I have tried setting the account shell as /bin/false or expired account. Result: /bin/false - Their vacation msg will not work as the program vacation need shell access expired account - Users not able to log in via webmail. I have about about an average of 10 users per domain on this box. Any help or suggestion will be greatly appreciated. 
|
|
09-01-2004
|
|||
|
|||
|
Re: How to Secure this box configuration?
Manuel wrote:
> I am using Slack v10.0, kernel 2.4.26, sendmail 8.12.11. > ... > Everything above works. Now, how to secure it from shell access? See Sendmail's smrsh(8) restricted shell manual page. I'm sure that this will provide what you want. -- ---------------------------------------------------------------------- Sylvain Robitaille syl@alcor.concordia.ca Systems analyst / Postmaster Concordia University Instructional & Information Technology Montreal, Quebec, Canada ----------------------------------------------------------------------
|
|
09-01-2004
|
|||
|
|||
|
Re: How to Secure this box configuration?
Manuel wrote:
> > I have tried setting the account shell as /bin/false or expired account. > Result: > /bin/false - Their vacation msg will not work as the program vacation need > shell access > expired account - Users not able to log in via webmail. > > I have about about an average of 10 users per domain on this box. > > Any help or suggestion will be greatly appreciated. Why not just set to sshd to allow only one specific group access - it won't stop users from logging in at the console or any tty's with a getty....but is that an issue? HTH C.
|
|
09-01-2004
|
|||
|
|||
|
Re: How to Secure this box configuration?
is /bin/false existant in /etc/shells ?
Colin McKinnon wrote: > Manuel wrote: > > >>I have tried setting the account shell as /bin/false or expired account. >>Result: >>/bin/false - Their vacation msg will not work as the program vacation need >>shell access >>expired account - Users not able to log in via webmail. >> >>I have about about an average of 10 users per domain on this box. >> >>Any help or suggestion will be greatly appreciated. > > > Why not just set to sshd to allow only one specific group access - it won't > stop users from logging in at the console or any tty's with a getty....but > is that an issue? > > HTH > > C.
|
|
09-02-2004
|
|||
|
|||
|
Re: How to Secure this box configuration?
["Followup-To:" header set to comp.os.linux.security.]
On 2004-09-01, Manuel <nouser@nodomain.com> wrote: > I am using Slack v10.0, kernel 2.4.26, sendmail 8.12.11. > > On sendmail, I am using virtusertable for a few domains. > My users are in /etc/passwd. Access are via POP3 and webmail (squirrelmail > 1.4.3a). > Users managed their password, vacation msg via usermin. > > Everything above works. Now, how to secure it from shell access? > BTW: I have disabled most of the unwanted daemon, only port > 22,25,80,110,143,443,20000 (usermin) are opened. > > Questions: > 1 - How can I prevent shell access but still allow email access? > > I have tried setting the account shell as /bin/false or expired account. > Result: > /bin/false - Their vacation msg will not work as the program vacation need > shell access > expired account - Users not able to log in via webmail. > > I have about about an average of 10 users per domain on this box. > > Any help or suggestion will be greatly appreciated. "man smrsh" -- -John (john@os2.dhs.org)
|
|
09-05-2004
|
|||
|
|||
|
Re: How to Secure this box configuration?
Thank you Sylvian and John.
smrsh really solved my problem. Now my box is secured - at least in regards to sendmail and shell access. Thanks again guys. "Sylvain Robitaille" <syl@alcor.concordia.ca> wrote in message news:slrncjbsar.dt2f.syl@alcor.concordia.ca... > Manuel wrote: > > > I am using Slack v10.0, kernel 2.4.26, sendmail 8.12.11. > > ... > > Everything above works. Now, how to secure it from shell access? > > See Sendmail's smrsh(8) restricted shell manual page. I'm sure that > this will provide what you want. > > -- > ---------------------------------------------------------------------- > Sylvain Robitaille syl@alcor.concordia.ca > > Systems analyst / Postmaster Concordia University > Instructional & Information Technology Montreal, Quebec, Canada > ----------------------------------------------------------------------
|
Linear Mode
