netbsd-help: Re: Advice on setting up a shell server

Subject: Re: Advice on setting up a shell server
To: Help NetBSD <netbsd-help@netbsd.org>
From: Brian McEwen <bmcewen@comcast.net>
List: netbsd-help
Date: 01/16/2007 20:52:27

On Jan 16, 2007, at 2:49 PM, Isaac Wagner-Muns wrote:

> I'm trying to set up a small shell account server for students at  
> my school, and it seems to be quite a vast undertaking, mostly  
> because of the security issues brought up by letting semi-anonymous  
> people access my machine. How do other shell servers (like  
> sdf.lonestar.org) implement an automatic user-adding system? Is  
> having publicly runnable shell scripts insecure? Any suggestions on  
> where i should start would be greatly appreciated

I'l agree with James and say go ahead and do it, but read up a little  
on Unix security and be aware of what you are getting into.  A good  
question is why you are setting this up and what do you want them to  
do with it.

One easy to read book with examples and most importantly methodology is
Real World Linux Security (2nd Edition) (Paperback)
by Bob Toxen

It is linux-related and perhaps light from a hardcore perspective but  
you will get some BSD examples and a general overview of what you are  
trying to do, and  a sense of where the big problems are.  I'm happy  
to hear of other books that are pertinent.  I've read a few and this  
one for me was fun to read the whole thing and hard a good global  
approach as to WHY you were doing what you were doing.

For sure I would put whatever box you use behind a hardware firewall,  
just to keep it separated from the cacophony that is the naked internet.

I would also figure out some backup-restore solution that will let  
you restore the system from a known-good state so that if Bad Things  
Happen (tm) you can get it back and running without a huge investment  
of your time from a known good/clean install state.

If you have a little time and HD space you can run a lot in a virtual  
"sandbox" and thus if something happens, it's just the sandbox and  
the main system is unaffected.

You really can limit users a bit from the default NetBSD install; and  
the basic install isn't horrible.  For basic and good advice google  
for "harden NetBSD".  Much stuff for FreeBSD can be workable for  
NetBSD, with a little googling about specific details under NetBSD  
and how to implement it.

Brian