Newbie Debian Squeeze : adduser (s)

For A (the webmaster), it's generally considered bad to let normal users edit your website directly. You CAN do it.

One options is to change the user ownership of /srv/www/siteone to one user, then change the user ownership of /srv/www/sitetwo to another user. Here's an example (I'll use todd and jim as the users, this assumes they already exist as users):

chown -R todd /srv/www/siteone 
chown -R tim /srv/www/sitetwo

"chown" is the command to change ownership. This command means "change ownership recursively to todd of /srv/www/siteone", or "change ownership of /srv/www/siteone and everything inside it to todd".

You can also create a new webmaster group and put both users in that group, then you can change the group ownership for /srv/www/siteone and /srv/www/sitetwo to webmaster. That doesn't look like what you want, though, since both users can access siteone and sitetwo. But just in case, here's an example (this assumes that users todd and jim already exist):

groupadd webmaster
usermod -a -G webmaster jim
usermod -a -G webmaster todd
chgrp -R webmaster /srv/www/siteone
chgrp -R webmaster /srv/www/sitetwo

That will add group webmaster to your server, append the webmaster group to the list of groups that jim and todd are in, then change group ownwership of siteone and sitetwo to webmaster same as chown (chown is for user ownership and chgrp is group ownership).

For B, it's not that it's good to remove root access, it's better to not use root unless you absolutely need to. Creating a new user with the same privileges as root, then using that user, is just as bad as actually using root. The reason it's bad is that if your root user (or your user that has the same privileges) gets hacked, the hacker has complete access to your server. Here are tips to avoid that:

–Create a "normal" user (e.g. a user that you will normally use). Make sure the password is different from your root password.

useradd -m -U youruser
passwd youruser

Replace youruser with the user name you want. When you type the "passwd youruser" command, it'll ask you to set a password for youruser. It won't show the password as you type, that's to make it so someone standing behind you won't see how many characters are in your password.

–If you're logged in as your normal user and you need root access, you can type the command "su -" (su space dash, no quotes) and type your root password. When done with root, type "exit" (no quotes) to return to your normal user.

--Using either vi or nano, open /etc/ssh/sshd_config, find the line that says "PermitRootLogin", and make sure that it is set to "no" (without quotes). Save and run "/etc/init.d/ssh restart" (no quotes). This will prevent anybody from trying to ssh to your server as root, they'll need to ssh to a normal user then use "su -" to become root.

--Use ssh keys. I rarely use putty, so I've never tried ssh keys with it, but someone else who uses it can chime in.

--If you do use ssh keys, then for a bit of extra security, you can open /etc/ssh/sshd_config, find the line that says "PasswordAuthentication", and make sure it's set to no. The downside to doing that is that if you lose your private key (ssh keys have a public and private key, the public one is on your server and you keep the private), you'll need to go in through Lish (found in Linode Manager) to regain access.

--If you use ssh keys AND disable password logins through ssh, you can configure sudo. You would need to use "su -" as described above then use the "visudo" (no quotes) command. You can configure one user at a time:

username    ALL=(ALL) ALL
username2   ALL=(ALL) /sbin/command1 , /usr/sbin/command2

That's just an example, you'll need to use actual user names. The first line gives username access to all commands. The second gives access to certain commands (replace the commands with real commands, separated with commas , ). Then you can run commands as your normal user by typing "sudo command1" (replacing command1), then by typing your normal password.

You can also assign the same commands to multiple users in visudo. If you need to do that, ask and we'll explain how.

I'm not sure what yo mean by Update User. For updating Drupal? If you want a specific user to have access to your Drupal site as described in A for your webmaster user, then that user would be your update user because he would have the ownership of the files, which means he can replace the old Drupal files with the new ones.

Piki,

Thank a lot for your reply which is writed to be very understable for a newbie* like me with Debian.

I spend a day yesterday to read docs online and your answer is very well done.

I created a user Webmaster and ssh key ( in my case i often use scp to read files), so i can connect myself with the key and paraphrase.

May I put only PasswordAuthentication== NO, to block root acces ?

Can you tell me where are the files ( i often use winscp to read files to check the conf). Can you make me a full command example. I'm just afraid to do a big mistake and lock my linode

–---------------------------------------------

an other small request ? I read a thing yesterday ( don't rememeber where) but the tips was to put XX second between wrong password. Is it a good way to block attack ? Is it a good way to prevent a charge on the server ?

–---------------------------------------------

Drupal 7 has a system to upload modules, and put a warning to prevent that password is not encrypted… So my idea was for this reason to add a spécific user with limited right, but il will probably install ssl…So forgot this point.

–------------------------------------------------

Thank again,

Florent

@A.L:

Piki,

Thank a lot for your reply which is writed to be very understable for a newbie* like me with Debian.

I spend a day yesterday to read docs online and your answer is very well done.

I created a user Webmaster and ssh key ( in my case i often use scp to read files), so i can connect myself with the key and paraphrase.

May I put only PasswordAuthentication== NO, to block root acces ?

Are you talking about in your /etc/ssh/ssd_config? That will prevent people from trying to log in with a password. If you do not set up your ssh keys with root, then yes, that will prevent root login since you would need a key to log in as root. By the way, the correct line would look like:

PasswordAuthentication no

You do not need the "==", and no should be in lower case.

> Can you tell me where are the files ( i often use winscp to read files to check the conf). Can you make me a full command example. I'm just afraid to do a big mistake and lock my linode

Which files do you mean? For ssh? They are in /etc/ssh/, and the ssh daemon that keeps running so you can use ssh it /etc/ssh/sshd_config.

The command for copying files is cp:

cp /some/directory/some/file /some/other/directory/
cp /some/directory/some/file /some/directory/new/file/name
cp -r /some/directory/ /some/other/directory

You'll need to adjust those lines with what they say. The first line will copy a file from one directory to another. The second file will give you two copies of the same file, and the new copy will have a new name. The third line, with the '-r', will let you copy a whole directory instead of a file. For moving:

 mv /some/file /some/other/file
mv /some/directory /some/other/directory

For mv, you don't need '-r' for directories. You can use it to move files and directories, or just to rename them (move /directory/a to /directory/b and get rid of /directory/a). If you want to edit a file:

nano /some/file

nano is a command line text editor. There are others, such as vi (or vim) and emacs. I've never used emacs, but I have used vi, and between vi and nano, I think nano is more newbie-friendly because it displays commands at the bottom of the screen. It will have things like "^O WriteOut" (save the file) and "^X Exit". The ^ means CTRL, so "^O" means CTRL+O.

> –---------------------------------------------

an other small request ? I read a thing yesterday ( don't rememeber where) but the tips was to put XX second between wrong password. Is it a good way to block attack ? Is it a good way to prevent a charge on the server ?

–---------------------------------------------

I don't understand what you're talking about.

> Drupal 7 has a system to upload modules, and put a warning to prevent that password is not encrypted… So my idea was for this reason to add a spécific user with limited right, but il will probably install ssl…So forgot this point.

–------------------------------------------------

What you can do is use the sudo idea in my last post to give your normal user the ability to use the cp and chown command. So what you would do is put your modules in the home directory for your user, so assuming you log in as user joe, the home directory would be "/home/joe/". Then you would unpack the module using either:

unzip /home/joe/drupal_module.zip
tar zxvf /home/joe/drupal_module.tar.gz
tar jxvf /home/joe/drupal_module.tar.bz2

depending on which type of file you have. The tar command will use 'zxvf" for .tar.gz and "jxvf" for tar.bz2; it doesn't matter what order the letters are in, just make sure it's not "-zxvf" or "-jxvf" (tar is one of the few commands that doesn't use a "-" to indicate an option).

After you unpack the modules, you'll need to copy the files that are unpacked to Drupal then change the ownership to whichever user and group that your web server uses (Debian normally makes this user and group both www-data):

cp -r /home/joe/module /srv/www/siteone/sites/all/modules
chown -R www-data:www-data /srv/www/siteone

Of course, you'll need to adjust every one of thos commands I'm giving for your user name and for where your site is actually stored. You'll also need to have the "-r" lower case for cp and the "-R" upper case for chown (I don't know why that is, but that's the way you need to do it).

You'll also see the www-data:www-data in the chown command. You can do that if you need to change the user and group at the same time. You put the user first and the group second. So if you want it to be owned by the webmaster user and the www-data group, you'd put:

chown -R webmaster:www-data /srv/www/siteone

The final thing you'll need to learn about with permissions are about read, write, and execute permissions. Those are changed with the chmod command. The chmod can be used like:

chmod u=rwx /srv/www/siteone/index.php
chmod -R g+rwx /srv/www/siteone
chmod -R o-rwx /srv/www/siteone
chmod -R 770 /srv/www/siteone

You can indicate read, write, and execute with the letters rwx, and user, group, and others (others meaning not the user or the group that owns it) with ugo or specify user group and others all at the same time with a (chmod a=rwx /srv/www/siteone). You can also use numbers to mean r, w, and x:

0 = no permission
1 = execute
2 = write
4 = read

You will need to add those together for your permissions, so read (4) and write (2) will give you 6. You'll put three numbers in a row if you use chmod - the first number sets the permission for the user that owns the file, the second number for the group that owns the file, and the third for everybody else.

Piki,

Thank to much, that was very helpfull. ( il will see in a second step, the drupal 7 update system with ssl). Put your answer on my desk..

Next question soon :)

Regards,

Florent

@A.L:

Piki,

–---------------------------------------------

an other small request ? I read a thing yesterday ( don't rememeber where) but the tips was to put XX second between wrong password. Is it a good way to block attack ? Is it a good way to prevent a charge on the server ?

Might you mean to set up a delay between unsuccessful login attempts? I.e., if you type the wrong user/pass combo, you'll need to wait few seconds to try again. As far as I understand, this does help against brute force attacks as it really slows this kind of attack down.

Then how to implement this? I'm not really sure can you set this up in ssh, but is seems to that by default there is a delay between password tries. To additionally block several connection I'm using shorewall (on debian) to set iptables rules such that there can be 6 attempts per minute in bursts of 3 to the ssh port before the connections are dropped.(*) Now, should someone actually be that interested in my server and flood ssh connections this would presumably also block me connecting through ssh, but for these cases there is LISH.

(*) the actual rule in "/etc/shorewall/rules" reads:

SSH(ACCEPT)     net     $FW     -       -               -               -               s:6/min:3

@vjm:

Might you mean to set up a delay between unsuccessful login attempts? I.e., if you type the wrong user/pass combo, you'll need to wait few seconds to try again. As far as I understand, this does help against brute force attacks as it really slows this kind of attack down.

Then how to implement this?

sshd_config's MaxAuthTries, MaxStartups, and optionally fail2ban

Then again, don't use passwords for SSH.

> sshd_config's MaxAuthTries, MaxStartups, and optionally fail2ban

…

Thanks.

FLorent