Wednesday, August 22, 2012

Allow only SCP/SFTP transfers with 'scponly'

scponly restricts users to SCP and SFTP logins by acting itself as a shell and this disables SSH logins. This allows using Filezilla or 'scp' tool to transfer files but restrict SSH logins via SSH clients. Debian has this package as 'scponly'. TO install it: 
# apt-get install scponly
Since, we will not be chrooting users, suid binary is not required. So, select no to: Install the chrooted binary /usr/sbin/scponlyc SUID root? <-- No For existing users, do: 
# usermod -s /usr/bin/scponly username
To create a new user with scponly: 
# useradd -m -s /usr/bin/scponly username
# passwd username
Posted by Aatish Neupane at 1:53 AM 0 comments
Labels: , , ,

Wednesday, August 1, 2012

Optimized LEMP Installer for Debian/Ubuntu with Virtual Hosts Automator.

LAMP stacks are used widely but they are notorious for being less resource friendly and in the same time, incredibly attracting to script kiddies and part time crackers.

There's a tradition to play with most popular toys rather than one which was designed to be small and less expensive. As a kid, what would you like to steal in a kindergarten: a Spider-Man toy or a small spider miniature?
Leaving aside these arguments, let's move on to the real-valued part. I wrote this script which I think, has the following featured jobs:(Some literary art)

  • Configures Nginx for performance and static file caching as well as gzipping the output.
  • Installs and PHP-FPM as well as PHP-APC for Opcode Caching
  • Optimizes MySQL for caching queries, while being light on resources.
  • Facilitates interactive virtual hosts creation with dedicated PHP-FPM pool for each user so that each PHP process runs as the owner. This eliminates the need to install FTP server for updating Wordpress or installing plugins. Since, PHP runs as the user owning the script, "wp-config" can be set to very strict permissions like 700.

There's even more...

  • Virtual hosts generation script also has the ability to create MySQL user and database as well as allowing user to import SQL file onto the newly created database for easy migration.
  • PHPMyAdmin installer is also built-in which allows PHPMyAdmin to be installed on specified domain or sub-domain. 
  • This script uses unix sockets instead of TCP which promises some more improvement and lowers TCP overhead within the system. 
  • I have implemented some security practices like "cgi.fixpath_info=0". 
Download the script here and run it as root:
wget https://raw.github.com/aatishnn/lempstack/master/lemp-debian.sh
chmod +x lemp-debian.sh
./lemp-debian.sh
This script works for me but I cannot guarantee that it will work for you too. I am not a Bash expert. Please add some regexp to your brain to ignore my scripting laziness. This is designed to work with Debian and Ubuntu. You may freely use it to suit your needs under the condition that you will thank me. I would be glad if you can share something about this script, test it, debug it or just scold, rebuke or criticize.


Posted by Aatish Neupane at 1:01 PM 10 comments
Labels: , , , , , , , , ,
Subscribe to: Posts (Atom)