New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
I'm interested in writing a private/custom shared hosting environment
Anyone have any recommended readings/resources on setting permissions, security measures, etc?
[Yes I'm doing my own research, but as there are a lot of knowledegable people here it doesn't hurt to ask for some quick links]
Think something along the lines of:
"Hi complete noob wanting to learn how to make a barebones cpanel/vesta/similar application looking for security advice"
Comments
After you have made it, release it to a set of people and then set them the challenge of "break it as much as you can please". People will go as far as they can to break stuff, if they can.
set of people = LET. it'll be broken in a matter of hours haha
edit: to clarify, this is mostly for learning experience. if it ends up going further tha expected, I may put it into production.
More like "have an exposure to a large amount of packets"
I've already built a shared hosting panel - it's fun to do, once you learn that PHP + root + shell_exec doesn't mix unless you're lazy
Abuse is also a factor of concern - I had to write a shell wrapper in C to prevent users from abusing SSH (blocking automated-download scripts)
Make sure users are separated properly - a simple chroot for user SSH should do. Create an image file and mount it as loop to /home with the nosuid,noexec set.
Lastly - your code is never secure. People will find bugs and some may abuse it, so it's essential to keep logs and audit your server on a regular basis.
This isn't much, but will help against injection.
http://php.net/manual/en/function.strip-tags.php
This is worth a read. The task you describe is by no means easy.
https://knzl.de/setting-up-a-chroot-for-php/
I set something similar up with the server hosting WP sites, but each WP instance/user only accessible via a separate hosting IP... unique per user, and also wanting to deny user any knowledge of other domains hosted from that server.
Sounds like fun which is why I'm interested
Ah this sounds like it could be rough. Will do some research (or if you have your code open sourced, links would be cool)
Is there a reason you mount it as loop from image? What are the repercussions of just have a separate partition? Is this solely for convenience?
This is pretty obvious. However, I would like it to be secure enough for it to be run in a production environment without TOO much worry of major loopholes (vesta, cpanel, etc)
Won't help me much as I'm not building a PHP application. I'm building a panel to interface with built web server software and PHP.
..... Not sure if troll or serious...
I am being serious, can't remember the right function on my mobile. Pretty much just make sure to strip html / php in any input variables.
Might not be much advice but I'm anxious to see the turnout I have a feeling its going to be way better than some of these other folks who are posting random 1 week work projects will you be posting some progress here while working on it?
@Jonchun
My code isn't difficult at all -- install the 'trickle' package on your server to begin.
http://pastebin.com/VL1HsXN0
Make sure you disable the chsh command so they cannot override the speed limitations. I found it to be much easier to use this system than the latter (tc).
Here's the man page for trickle: http://linux.die.net/man/1/trickle
Anyways, good luck!
Edit: Try using Linux users as a method of authentication. Like cPanel, it's secure, and you should never need to handle the user's password.
Are you planning something like Sandstorm? Anyway, here's a dump of some of my bookmarks.
Security awesomelist
Security Guide: How to Protect Your Infrastructure Against the Basic Attacker
ConfigServer Security & Firewall
Storing Passwords in a Highly Parallelized World · Homepage of Hynek Schlawack
Hydra: oAuth service
Password hashing and verification
Snyk - Check Node for vulnerabilities
Client side encryption
Configuring SSL for your webserver
Security Engineering - A Guide to Building Dependable Distributed Systems
SSH Hardening
Mitigating DDoS Attacks with NGINX and NGINX Plus - NGINX
Lock Up Your Customer Accounts, Give Away the Key - TADevelops
Slide 39 - WAF and SQL Injection Links
Hardening Debian for the Desktop Using Grsecurity | Micah Lee's Blog
Daniel Somerfield - Turtles All the Way Down: Storing Secrets in the Cloud and the Data Center - YouTube
In a microservice architecture, how do you handle managing secrets?
How to Safely Store Your Users' Passwords in 2016 - Paragon Initiative Enterprises Blog
@FlamesRunner
Thanks!
@rincewind
Most of these links seem to be basic server hardening techniques not specifically related to shared hosting, but useful stuff nonetheless.
If you'd like, I can show you around my control panel, just PM me and we'll go from there.
Likewise, I also have a version on GitHub available here: https://github.com/FlamesRunner/FlamesPanel-v2
(open-source version is very minimal though)
Thanks for the offer! I'll take a look at your code (Mostly interested in file structure + permissions for now)