carrier-lost.org

OpenSSH 4.9 was the first version of the famous daemon that came with an built-in chroot functionality (changelog). Chrooting the sshd and restricting the shell access to a few commands can be a great solution to grant a few users secure access to exchange files. We will use the rssh shell to only allow sftp access for one user, locked to his chrooted home directory. Since it is dangerous to give a user write access to the root of a chroot, you have to create the user’s home directory inside the chroot. In this example /home/ftp will be the chroot and /home/ftp/secftp is the home directory of the user, the place where he finds himself when connecting to the machine.

Install the rssh shell with

$ aptitude install rssh

and adjust the config file for the user secftp to allow sftp access.

$ vim /etc/rssh.conf

user=secftp:027:00010 #user:umask:proto

Then add the new user secftp (with /secftp as home and /usr/bin/rssh as shell) to your system and set a password.

$ useradd -d /secftp -s /usr/bin/rssh -g users secftp
$ passwd secftp

Create the directory and adjust the ownership so secftp can read/write and other group members can read the uploaded files.

$ mkdir -p /home/ftp/secftp
$ chown secftp:users /home/ftp/secftp

Edit your sshd configuration and add the user specific options for your chroot. Don’t forget to add secftp to your AllowUsers (which you should have configured ).

$ vim /etc/ssh/sshd_config

AllowUsers secftp

Subsystem sftp internal-sftp

Match User secftp
   ChrootDirectory /home/ftp
   AllowTCPForwarding no
   X11Forwarding no
   ForceCommand internal-sftp

Restart the sshd daemon and you should be done.

Sources:
http://www.gossamer-threads.com/lists/openssh/dev/44657
http://hp.kairaven.de/scpsftp/ssh-rssh-sftp.html
http://www.debian-administration.org/articles/590

Warum das Rad neu erfinden, wenn es schon ein zuverlässiges Skript zum automatischen Sichern der MySQL Datenbanken gibt? WipeOut’s – Automatic MySQL Backup
Aktuelle Version von Sourceforge runterladen und einige Informationen eintragen.

USERNAME=wordpressBackup
PASSWORD=P@ssw0rd
DBHOST=localhost
DBNAMES=”wordpress”
BACKUPDIR=”/var/backups/db”

Mit der Option DBNAMES ist es möglich einzelne Datenbank aufzulisten oder mittels “ALL” alle zu sichern. Dies bietet sich z.B. an, wenn man die Rechte des Backup-Users auf die jeweilige Datenbank beschränken möchte.
Neben einigen erweiterten Optionen bietet das Skript die Möglichkeit einen Bericht oder die Sicherungen an eine angegebene E-Mail Adresse zu schicken.

MAILCONTENT=”files”
MAILADDR=”root@carrier-lost.org”

Das angepasste Skript zum Abschluss noch ins /etc/cron.daily/ Verzeichnis kopieren und testweise ausführen.

Starting syslog-ng on a vServer with Debian Lenny fails with the message:

/etc/init.d/syslog-ng restart
Starting system logging: syslog-ng
Error opening file for reading; filename=’/proc/kmsg’, error=’Operation not permitted (1)’
Error initializing source driver; source=’s_all’ failed!
Error initializing source driver; source=’s_all’

You have to comment out a few lines in /etc/syslog-ng/syslog-ng.conf since syslog-ng doesn’t have direct access on the kernel messages. Under “Sources”

file(”/proc/kmsg” log_prefix(”kernel: “));

and

# kern.* -/var/log/kern.log
log {
source(s_all);
filter(f_kern);
destination(df_kern);
};

Syslog-ng should start just fine now.