Restrict user account, prevent intruder from doing bad things

cyberius · 2013-02-17 08:21:30

Hello,

I am currently planning and setting up a backup-server with ZFS. There will be daily snapshots of the filesystem (cron job).
Different machines connect automatically without a password via ssh (public/private key) and rsync their stuff to the backup server.

Each machine will connect to it's specific user (and therefore to it's own home directory) on the backup server. I thought that if one of the machines gets compromised (e.g. someone gets access to the private key) he only could access one home folder, nothing more. As there are daily snapshots, even it he deletes all files, they will still be there.

Is just adding a normal user per machine enough or should / can be done more to enhance security? As I said the user account is only for logging in and rsyncing stuff to the home directory.

E.g. disabling executing of applications except of rsync? Preventing fork bombs? Making it harder to run exploits? Other stuff I didn't think about?

Thanks

Last edited by cyberius (2013-02-17 08:23:39)

hunterthomson · 2013-02-17 09:02:54

Well, you could harden you server with the linux-grsec kernel and RBAC.

You can also setup disk quotas for each user.

If you make your backup script a bit more complicated you could encrypt each computers backup directory.

-Syu · 2013-02-18 09:26:30

You might also want to limit those user accounts themselves. If you only use them vor rsyncing, remove them from all unnecessary user groups (the "users" group in particular) and take away their shells.
On top of that, you may want to give each user a chroot jail, so they can't even write to /tmp for example.

I'm not too familliar with rsync yet. If you really need to make your other machines log in and execute rsync themselves over SSH, you might want to take a look at limited shells like lshell to only allow execution of that program.

cyberius · 2013-02-18 09:51:35

-Syu wrote:

You might also want to limit those user accounts themselves. If you only use them vor rsyncing, remove them from all unnecessary user groups (the "users" group in particular) and take away their shells.
On top of that, you may want to give each user a chroot jail, so they can't even write to /tmp for example.
I'm not too familliar with rsync yet. If you really need to make your other machines log in and execute rsync themselves over SSH, you might want to take a look at limited shells like lshell to only allow execution of that program.

Great, thank you! This was something I was looking for!

But if I take away the shell completely (e.g. chsh -s /sbin/nologin username), I think I won't be able to rsync via ssh right?

lshell sounds very promissing for my case, I will have a look at it!

edit: I found out that there is also a "--restricted" option for "bash", where one can disable PATH variables, changing directories. I will have a look.

Last edited by cyberius (2013-02-18 10:14:36)

hunterthomson · 2013-02-18 10:26:48

chroot dose not offer any real security without grsecurity. The other stuff is all good to try.

If I were you I'd sit down and think about what I am really trying to protect. I bet you don't really care if the Box get's owned. What you care about is that the backups are protected.

If the only job the box that has the backups on it is storage of backups, then all you need to protect are the backups. Encryption will solve nearly all your problems if that is the case. The only problem left would be if the box was owned, the attacker could delete the encrypted backups. However, the attacker would not be able to read them. If an attacker did delete all your backups... that is not really that big of a deal as long as you find out about it in time to reinstall Arch and make new backups.

The last problem would be if the attacker used up all your disk space. That can be prevented with quotas.

Last edited by hunterthomson (2013-02-18 10:28:20)

Arch Linux

#1 2013-02-17 08:21:30

Restrict user account, prevent intruder from doing bad things

#2 2013-02-17 09:02:54

Re: Restrict user account, prevent intruder from doing bad things

#3 2013-02-18 09:26:30

Re: Restrict user account, prevent intruder from doing bad things

#4 2013-02-18 09:51:35

Re: Restrict user account, prevent intruder from doing bad things

#5 2013-02-18 10:26:48

Re: Restrict user account, prevent intruder from doing bad things

Board footer