Hi HowToForge Community Today I tried to have a deeper look into the ISPConfig web configuration options and came across some options I was not able to find further information. Therefor I thought it would be best, to post my questions here. 1) Add web users to -sshusers- group This is activated by default. Am I right, that this is only used in combination with Jailkit? I don't want my clients to connect to my server via SSH - so would this be one I should definitely uncheck? Or what does this exactly? 2) Connect Linux userid to webid This is unchecked by default. Can someone please explain to me, what this does and what for it can be useful? 3) Make relative symlinks This is unchecked by default. I found some information in the manual, but there are no explanations why this is useful. Again, I would really appreciate it, if someone could explain to me. Last but not least, Enable SNI. The hint in the manual says, that this is only needed if I want to run multiple SSL on the same IP. So if I don't plan to do this, can I safely deactivate it? Thank you all for the help! Regards, MaddinXx
1) You can disable that if you dont allow ssh access. 2) This is useful for multiserver mirror setups as it ensures that the web users on all mirrored servers get the same linus uid. 3) That can be useful on customized installations which use a different folder scheme and / or external storages. Yes.
Hi till Thank you for the explanations. Very kind So I let everything as it was, except that I decided to allow SSH. Again, I have some questions. I managed to get Jailkit running. However I have some security concerns. 1) Jailkit CHROOT is more secure than "NONE" CHROOT? It's seems so. Is it? Then, what makes me fear. After logging in with a Jailkit account, I can see some files and folders which should not be visible/editable (I guess). I have: /bin and all files in there seem secure to me? /cgi-bin is empty, seems fine too? /dev and files in there (null, tty & urandom), what is this? /etc fear! should this dir be there? And it's content: /home makes sense /lib & /lib64 again, I have no idea what the files in there are... /usr with subfolders /bin, /lib, /sbin & share - seems fine? /var with a folder /run - this seems to be for MySQL? I know this is a lot of stuff.... Thank you, once again. MaddinXx
1) Yes,jailkit is more secure. You mix up the folders here, the folders that you see in your jailkit account are not the global folders (with the same names), the folders are stripped down copies inside the jail with a minimal setup and binaries that are required to run a shell safely. So even if the jailkit user would be able to modify anything in these folders, it would not affect the server or any other website.
Oki doki. Puh.. Very last question (I hope so) in (jailkit): /etc/group there is: root:x:0: client6:x:1007: and in /etc/passwd: root:x:0:0:root:/root:/bin/bash mkaeser001:x:1008:1007:::/bin/bash Are the root entries required or is it safe to remove them? I guess the time there are more ssh users, they will all be listed... Thank you and please apologize stealing your time. I am still in early learning stadium. Regards, Michel
The root entry is required in the jail. If you like to know more about jails with jailkit, see jailkit homepage.
I use this tutorial https://www.howtoforge.com/installi...ase-cluster-on-debian-6.0-with-ispconfig-3-p5 My topology: 2 Servers with ispconfig 3. Server1 - Active web interface Server2 - Disable web interface Server2 is mirror of Server Server1. Server2 have check Connect Linux userid to webid. I have multiserver mirror implemented, and check Connect Linux userid to webid in my Server2, but the ftp users are not replicate in my Server2, and when restart apache2 receive the error apache2: bad user name web13. In the Server1 not have this problem, because create correctly the users. Server2 Errors service apache2 restart apache2: bad user name web13 Action 'configtest' failed. The Apache error log may have more information. failed! apache error.log root@webisp2:/home/mqciqa# tail -f /var/log/apache2/error.log [Wed Apr 20 20:22:26 2016] [error] [client 24.139.73.106] File does not exist: /var/www/bluecar [Wed Apr 20 20:22:29 2016] [error] [client 24.139.73.106] File does not exist: /var/www/bluecar [Wed Apr 20 20:29:58 2016] [error] [client 24.139.73.106] File does not exist: /var/www/bluecar [Wed Apr 20 20:30:47 2016] [error] [client 24.139.73.106] File does not exist: /var/www/bluecar [Wed Apr 20 20:30:48 2016] [error] [client 24.139.73.106] File does not exist: /var/www/bluecar [Wed Apr 20 20:32:30 2016] [error] [client 24.139.73.106] client denied by server configuration: /var/www/clients/client5/web13/web/bluecar/ [Wed Apr 20 20:41:07 2016] [error] [client 24.139.73.106] client denied by server configuration: /var/www/clients/client5/web13/web/bluecar/ [Wed Apr 20 20:51:59 2016] [error] [client 24.139.73.106] client denied by server configuration: /var/www/clients/client5/web13/web/bluecar/ [Thu Apr 21 00:17:22 2016] [error] [client 119.9.25.204] File does not exist: /var/www/zecmd [Thu Apr 21 00:52:13 2016] [notice] caught SIGTERM, shutting down
