We are happy to announce that Vesta is back under active development as of 25 February 2024. We are working on v1 candidate and expect to engage more with the community over the coming months. We are committed to open source, and we encourage contributors to help us build the future of Vesta.
Jailing Users with SSH?
-
- Posts: 14
- Joined: Sun Sep 24, 2017 6:00 am
Jailing Users with SSH?
Hi,
I know this has been posted before but the posts are a fair few years old and not much detail went in to a lot of the replies. I've been trying now for the past several hours to unsucessfully setup a jailed environment for my user setup within Vesta.
The main reasons behind this is I'd like a team of people to be able to work on the development side of the project and be able to push their updates to the server. In order to do this I've made a new user and given that user a subdomain. I'd like to give the newly created user shell access so that anyone on the team is able to login via ssh basically for git purposes in order to easily be able to deploy updates. I'm fairly new to git in general so trying to also limit the exposure level to other commands is making this a much more difficult task.
My main concern is I don't want the development user to have access to any part of the server outside of the development subdomain. This is why I created an entirely new user and didn't create the subdomain from within my main user account.
Currently it seems to make git workable I must give the team root access to the entire server which allows at the bare minimum read access to all of the servers most sensative information. While in this scenario I do trust my team and if worst case scenario needs be I will give root access I still would like to learn how to set up a jailed environment where I can specify what commands are acceptable as I in the future putting outright trust in users with root access to my server is a big no-no! All it takes is one malicious user to god knows anything from dban to dumping/leaking databases depending on whats on the server at any given time... That's partly why its surprised me so much that this isn't an option right from the get go with Vesta where I've been reading it is with other providers like ISPconfig?
anyone have any instructions or guides on setting something like this up with vesta?
I've followed the few guides posted on previous VestaCP forum discussuion posts to no avail and same to be said for online tutorials in general not linked to vestacp. Main issue I found with those being that it attempts to move the home directories out of their usual setup and into the /jail directory that was setup. This gives me a permission denied error which I assume is because it would break vestas setup without modification.
Any help will be greatly appreciated!
Thanks
Brad
I know this has been posted before but the posts are a fair few years old and not much detail went in to a lot of the replies. I've been trying now for the past several hours to unsucessfully setup a jailed environment for my user setup within Vesta.
The main reasons behind this is I'd like a team of people to be able to work on the development side of the project and be able to push their updates to the server. In order to do this I've made a new user and given that user a subdomain. I'd like to give the newly created user shell access so that anyone on the team is able to login via ssh basically for git purposes in order to easily be able to deploy updates. I'm fairly new to git in general so trying to also limit the exposure level to other commands is making this a much more difficult task.
My main concern is I don't want the development user to have access to any part of the server outside of the development subdomain. This is why I created an entirely new user and didn't create the subdomain from within my main user account.
Currently it seems to make git workable I must give the team root access to the entire server which allows at the bare minimum read access to all of the servers most sensative information. While in this scenario I do trust my team and if worst case scenario needs be I will give root access I still would like to learn how to set up a jailed environment where I can specify what commands are acceptable as I in the future putting outright trust in users with root access to my server is a big no-no! All it takes is one malicious user to god knows anything from dban to dumping/leaking databases depending on whats on the server at any given time... That's partly why its surprised me so much that this isn't an option right from the get go with Vesta where I've been reading it is with other providers like ISPconfig?
anyone have any instructions or guides on setting something like this up with vesta?
I've followed the few guides posted on previous VestaCP forum discussuion posts to no avail and same to be said for online tutorials in general not linked to vestacp. Main issue I found with those being that it attempts to move the home directories out of their usual setup and into the /jail directory that was setup. This gives me a permission denied error which I assume is because it would break vestas setup without modification.
Any help will be greatly appreciated!
Thanks
Brad
-
- Posts: 14
- Joined: Sun Sep 24, 2017 6:00 am
Re: Jailing Users with SSH?
Also just to add,
after following the installation guides online it seems that inside SSH options from within my VestaCP users settings I can now see an option for JK_Chrootsh. Clearly it's a link to jailking but it seems to be incorrectly working...
Now when I try to login to my server via Putty with all of the same info I use with my normal login bar username as dev this time and the development password instead of getting Permission Denied (when it was set to nologin) the screen just automatically closes. Almost as if it logs me in then immidiately exits the console. Could this be because it was all correctly setup but the directory change where there were permission failures has caused this?
If so should that not mean the fix is pretty close? As in its basically setup and its just the permissions issue that needs fixing in order to be accessible via putty with limited access and commands outside of the users web directory?
And lastly I assume if thats correct the fix needs to include a changing to whereever vesta stores its virtual hosts so that it knows when a user is set to JK_Chrootsh it needs to check the /jail directory instead of /home?
after following the installation guides online it seems that inside SSH options from within my VestaCP users settings I can now see an option for JK_Chrootsh. Clearly it's a link to jailking but it seems to be incorrectly working...
Now when I try to login to my server via Putty with all of the same info I use with my normal login bar username as dev this time and the development password instead of getting Permission Denied (when it was set to nologin) the screen just automatically closes. Almost as if it logs me in then immidiately exits the console. Could this be because it was all correctly setup but the directory change where there were permission failures has caused this?
If so should that not mean the fix is pretty close? As in its basically setup and its just the permissions issue that needs fixing in order to be accessible via putty with limited access and commands outside of the users web directory?
And lastly I assume if thats correct the fix needs to include a changing to whereever vesta stores its virtual hosts so that it knows when a user is set to JK_Chrootsh it needs to check the /jail directory instead of /home?
-
- Posts: 43
- Joined: Tue Apr 18, 2017 10:54 pm
- Os: Ubuntu 15x
- Web: apache + nginx
Re: Jailing Users with SSH?
Unfortunately you will have to look outside of the community until you buy the Jailed SSH plugin for Vesta. Because they offer it for money they don't offer tips and tricks around how to install 3rd party jailed software. I'd recommend you either buy the plugin, or ask around in the Ubuntu or CentOS forums on how to jail SHH (you can get guides on "jailkit" on google).JakeTheDog420 wrote:Anyone?
Sorry to give you the bad news.
-
- Posts: 43
- Joined: Tue Apr 18, 2017 10:54 pm
- Os: Ubuntu 15x
- Web: apache + nginx
Re: Jailing Users with SSH?
Also, paid users have their own forums and access to contact support directly if you would prefer (if you obtained the plugin through legitimate channels)
-
- Posts: 14
- Joined: Sun Sep 24, 2017 6:00 am
Re: Jailing Users with SSH?
Oh thanks for that guys I didn't even know vesta offered paid features! I'll definitely consider purchasing the plugin and browsing what else is offered if anything as so far I'm quite liking the vesta control panel!
That said I need to create a new thread as I have run into problems with the mailserver and unfortunately at the worst time! In case either of you know what my problem is I'll include my issues here;
Been using the server for personal projects etc so nothing major and had my email server working fine with ability to send and recieive emails, connection through desktop mail clients and also my phone etc. Just registered a "client" up who wanted the ability to have custom email address's and had a domain. I set it all up and they were sending emails just fine, also recieiving emails. There were some issues while setting up which were quite weird like how I had all of the details input correctly to the desktop mail client but it wouldn't sync the msgs or send any out etc.
Eventually after deleting and re-adding a few times and spamming the sync button it synced and worked.
Everything seems to have gone down hill from there since then all email accounts have been playing up.
The ones created first (so my emails for my personal projects) work or at least they work a lot better than these newer ones that are being created but like I just attempted to create a new email under the domain that I set up for my client and I sent an email to it and it has not received anything. Not in any folders including junk! I haven't today checked to see if my other emails are still working so let me check that now. I'll just quickly repeat the test on my clients domain to see if it gets any emails or can send!
Okay so update.
I sent an email from my own personal hotmail email to my test created email under clients domain. NON RECIEPT.
I sent an email from my own personal hotmail email to my email created under my own personal domain. RECIEVED.
I sent an email from my own personal hotmail email to both my personal email domain and my email under clients domain. RECIEVED ON PERSONAL DOMAIN NOT ON CLIENTS EMAIL DOMAIN.
I am able to send emails FROM the clients emails outwards (however they went to junk folder.)
This seems like a misconfiguration issue however this domain was able to both send and recieive emails last night so I don't get how it can go from one end of the spectrum to the other?
Does anyone have any suggestions or theorys on what might be the cause here? The sooner I can get this resolved the better so any help at all is really appreciated!
I was thinking of just simply deleting the whole user and then re-adding him onto the vestacp and re-add his web and mail accounts/records but obviously thats a fairly long process and I dont want to have to do that each and every time so I'd prefer to discover what's caused this issue so I know how to fix and what to avoid for the future!
Thanks for reading all this lol
Any helps appreciated :)
That said I need to create a new thread as I have run into problems with the mailserver and unfortunately at the worst time! In case either of you know what my problem is I'll include my issues here;
Been using the server for personal projects etc so nothing major and had my email server working fine with ability to send and recieive emails, connection through desktop mail clients and also my phone etc. Just registered a "client" up who wanted the ability to have custom email address's and had a domain. I set it all up and they were sending emails just fine, also recieiving emails. There were some issues while setting up which were quite weird like how I had all of the details input correctly to the desktop mail client but it wouldn't sync the msgs or send any out etc.
Eventually after deleting and re-adding a few times and spamming the sync button it synced and worked.
Everything seems to have gone down hill from there since then all email accounts have been playing up.
The ones created first (so my emails for my personal projects) work or at least they work a lot better than these newer ones that are being created but like I just attempted to create a new email under the domain that I set up for my client and I sent an email to it and it has not received anything. Not in any folders including junk! I haven't today checked to see if my other emails are still working so let me check that now. I'll just quickly repeat the test on my clients domain to see if it gets any emails or can send!
Okay so update.
I sent an email from my own personal hotmail email to my test created email under clients domain. NON RECIEPT.
I sent an email from my own personal hotmail email to my email created under my own personal domain. RECIEVED.
I sent an email from my own personal hotmail email to both my personal email domain and my email under clients domain. RECIEVED ON PERSONAL DOMAIN NOT ON CLIENTS EMAIL DOMAIN.
I am able to send emails FROM the clients emails outwards (however they went to junk folder.)
This seems like a misconfiguration issue however this domain was able to both send and recieive emails last night so I don't get how it can go from one end of the spectrum to the other?
Does anyone have any suggestions or theorys on what might be the cause here? The sooner I can get this resolved the better so any help at all is really appreciated!
I was thinking of just simply deleting the whole user and then re-adding him onto the vestacp and re-add his web and mail accounts/records but obviously thats a fairly long process and I dont want to have to do that each and every time so I'd prefer to discover what's caused this issue so I know how to fix and what to avoid for the future!
Thanks for reading all this lol
Any helps appreciated :)