Need to fastener down that Linux server truthful definite distant users tin lone entree a circumstantial directory and lone for record upload and download purposes? Jack Wallen shows you how.
When you person a server with SSH access, unless you've configured it otherwise, immoderate idiosyncratic with an relationship connected that strategy tin log successful and, if they person the permissions and skill, wreak havoc connected your server.
SEE: 40+ unfastened root and Linux presumption you request to cognize (TechRepublic Premium)
You don't privation that.
What you tin bash is restrict those users with a chroot jail. By doing this you severely bounds what those users tin bash connected your system. In fact, immoderate idiosyncratic who is constricted to a chroot jailhouse can:
- Only entree the server via sftp
- Only entree a circumstantial directory
This is simply a large information summation to your Linux servers, and if you necessitate specified a usage case, see it a must-do. This is particularly important if you person a server that houses delicate information and you don't privation users adjacent viewing those files and folders.
This setup isn't each that challenging. In fact, the configuration is overmuch easier than uncovering ways to deploy the feature. But connected those occasions erstwhile you bash request to severely restrict what a idiosyncratic tin entree connected your Linux servers, this is 1 sure-fire mode of doing so.
What you'll request
To marque this work, you'll request a moving lawsuit of Linux and a idiosyncratic with sudo privileges. That's it. Let's marque immoderate information magic.
How to make a restricted radical and adhd users connected a Linux server
The archetypal happening we indispensable bash is make a caller radical and adhd users to it. Create the radical with:
sudo groupadd restrictedNext, adhd a idiosyncratic to the radical with the command:
sudo usermod -g restricted USERNAMEWhere USERNAME is the idiosyncratic you privation to adhd to the restricted group.
SEE: Linux turns 30: Celebrating the unfastened root operating strategy (free PDF) (TechRepublic)
How to configure SSH
Open the SSH daemon configuration record with:
sudo nano /etc/ssh/sshd_configLook for the enactment (near the bottom):
Subsystem sftp /usr/lib/openssh/sftp-serverChange that enactment to:
Subsystem sftp internal-sftpAt the bottommost of the file, adhd the following:
Match radical restricted ChrootDirectory /home/ ForceCommand internal-sftp AllowTcpForwarding no X11Forwarding noSave and adjacent the file. Restart SSH with:
sudo systemctl restart sshNow, spell backmost to different instrumentality and effort to SSH into the server with the user, specified as:
ssh olivia@192.168.1.147You'll spot the warning:
This work allows sftp connections only. Connection to 192.168.1.147 closed.In bid for immoderate idiosyncratic successful the restricted radical to log into the server, they indispensable usage sftp similar so:
sftp USERNAME@SERVERWhere USERNAME is the username and SERVER is the IP code oregon domain of the server. Once they successfully log in, they'll beryllium astatine the sftp punctual wherever they tin transportation files backmost and distant with the enactment and get commands. Those restricted users tin lone upload files to their location directories. When a restricted idiosyncratic initially logs in, they'll beryllium successful the /home directory. So, to successfully upload, they would person to alteration into their location directory with a bid like:
cd oliviaOnce successful their location directory, they tin past contented a bid like:
put file1As agelong arsenic that record is successful the existent moving directory of the instrumentality they logged into the server from, it'll upload conscionable fine. If those users lone request to download files to their section machine, they'd usage a bid like:
get file1I recognize this is simply a precise limiting configuration with precise constricted usage cases, but astatine immoderate constituent successful your Linux admin career, you're going to tally into an lawsuit wherever you request to bounds users to logging into a chroot jail. This is 1 mode to bash it.
Subscribe to TechRepublic's How To Make Tech Work connected YouTube for each the latest tech proposal for concern pros from Jack Wallen.
Cybersecurity Insider Newsletter
Strengthen your organization's IT information defenses by keeping abreast of the latest cybersecurity news, solutions, and champion practices. Delivered Tuesdays and Thursdays
Sign up todayAlso spot
- 9 web commands each Linux admin should know (TechRepublic)
- How to usage CyberPanel to easy negociate Docker images and containers (TechRepublic)
- How to go a cybersecurity pro: A cheat sheet (TechRepublic)
- NIST Cybersecurity Framework: A cheat expanse for professionals (free PDF) (TechRepublic)
- What are mobile VPN apps and wherefore you should beryllium utilizing them (TechRepublic Premium)
- Cybersecurity and cyberwar: More must-read coverage (TechRepublic connected Flipboard)