[clue-admin] User setup for "member" accounts
Jed S. Baer
thag at frii.com
Tue Dec 28 22:09:39 MST 2004
On Tue, 28 Dec 2004 21:43:30 -0700
Jeff Cann wrote:
> I asked Lynn about it and he seemed determined to make it work.
Sorry if that just doesn't parse for me. You're referring to "days of old"
conversations?
> In my
> experience with other ISPs, the offered ssh access to what appeared to
> be a 'normal' shell account - ie., I could run stuff, create
> directories, etc. However, due to UNIX permissions, I was unable to
> leave my directory.
Yeah, I've had that experience. I don't know what my current blog host
does, because I've never tried to push the limits, but yeah, I have
indications I'm in a restricted shell. But given how they've set up their
webserver, it wouldn't surprise me to find I'm in a chroot jail. Since
I've never looked into those, I don't know how I'd tell.
> My point: was I using a normal bash account or some other type of
> restricted shell. Perhaps these ISPs figured that I wouldn't abuse the
> servers (since I'm paying for access).
>
> I don't care how you guys decide to set up the member accounts, just
> curious more than anything.
My main concern is that there's some evidence that the cracker got in via
a weak password. Of course, we don't know that for sure. But I note that
there have been 873 failed ssh logins since we brought the machine up.
Only a few of those are real admins fumble-fingering things. Many of them
are either for root or for non-existent users.
We're being scanned. How long until a dictionary attack succeeds? Or some
other brute-force mechanism? (And should we be looking at an IDS to react
to those?)
Unless there's a real need for member accounts to have more access, I
think they should get the minimum privs they need to update their
websites, and, I suppose maybe read e-mail using pine or mutt (I don't
recall what's on the box now for CLI e-mail reading). And that means
restricted shell, done properly. Since I've never set up chroot jails, I
don't know if that's going to far, or easily automated once we know how,
or what.
I know I'm getting a bit tangental here, but I think we need to minimize
risk wherever we can, especially because none of us wants to play
full-time admin on this box. Not that we should have to, but the fewer
things we have to worry about, the better, I think.
jed
--
http://s88369986.onlinehome.us/freedomsight/
Key fingerprint = B027 FEFB 4281 CC72 67D1 4237 F2D0 D356 077A A30E
... it is poor civic hygiene to install technologies that could someday
facilitate a police state. -- Bruce Schneier
More information about the clue-admin
mailing list