[ProgClub programming] Network administration notes

Justin Steward althalus87 at gmail.com
Thu Apr 10 10:35:44 EST 2014


You should also probably use the AllowGroups option in sshd_config:
    # Only people in the admin group can SSH into this machine
    AllowGroups admin

~Justin



On Tue, Apr 8, 2014 at 3:38 PM, John Elliot V <jj5 at progclub.org> wrote:

> I realised yesterday that our admin server (charity) was wide open for a
> hack-attack.
>
> When I create users on charity I disable the user password unless the
> user is an administrator so that ostensibly ordinary members can't login
> to the admin server. Only administrators should be able to log on to the
> admin server. There are two user machines (honesty and hope) available
> for all members.
>
> Until yesterday charity:/home was the home directory on charity and
> exported to honesty:/home and hope:/home via NFS. So a malicious user
> could create an SSH key in their home directory via honesty or hope and
> then SSH to charity where their key would be found!
>
> So I've had to separate the /home directories for honesty/hope and
> charity. To do this I moved charity:/home to charity:/var/home and
> copied admin home directories into charity:/home. Admins beware: your
> home directory on charity is now different to your home directory on
> honesty and hope.
>
> Also, recently there was a problem with the NFS system. The problem was
> that the NFS clients (honesty and hope) were not automatically mounting
> their NSF share for the /home directories from charity.
>
> I wasn't able to figure out how to fix the problem in /etc/fstab so I
> did the mounting with a script in /etc/rc.local as described here:
>
> https://www.progclub.org/wiki/Honesty_admin#Fixing_fstab_NFS_mount_issue
>
> and here:
>
> https://www.progclub.org/wiki/Hope_admin#Fixing_fstab_NFS_mount_issue
>
> Regards,
> John Elliot V
> _______________________________________________
> ProgClub programming
> programming at progclub.org
> https://www.progclub.org/cgi-bin/mailman/listinfo/programming
> https://www.progclub.org/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.progclub.org/pipermail/programming/attachments/20140410/37d60ff0/attachment.html>


More information about the programming mailing list