Hi,
i’m using Virtualmin on a server with ~15 virtual servers and i have been hacked because somebody managed to get the password of a user and logged with SSH with this password.
I don’t need to have SSH enabled for all virtual servers’ users. I just need FTP for users but no need to allow them to connect through SSH
Is it possible to disable SSH access per user ? i have not found and i don’t want to do something through Webmin or Usermin which may annoy Virtualmin
Thanks
Yes, the easy way would be to change the default login sh from /bin/sh to /bin/fase or so. See also menu “custom shells” …
But this is not “really secure”, since the ssh port is still available and users are authorized to access it (so they could still do tunneling etc).
The better way would be to restrict which users are allowed via AllowUsers or AllowGroups and deny tunneling via AllowTcpForwarding, X11Forwarding, PermitTunnel and so on.
Disclaimer: I am not a security expert!
Like helpmin said, by default Virtualmin assigns a login shell to Virtual Server owner user accounts that allows them to log in via SSH. Changing the default shell, and changing the shell of the relevant existing users, will prevent them from logging in.
Can you elaborate in what way you were “hacked”? Even if they managed to log in as one of your customers, they should not have been able to do malicious stuff only to the user in question, and not to other customers or even the system itself, if your file system permissions are set correctly.
One day i have found C99 Madshell installed on one of my Virtual Servers.
It did not compromise the full server nor the other virtual servers but spam was sent and i had to stop Postfix during the time of the cleaning of this VS
The strange thing is that i have found lines in /bash_history which made me think they had logged through SSH
But i think it was just through PHP because they are not in “last” command
I have managed to clean everything and it"s ok now … but i was just wondering if it could be more secure to avoid gibving ssh access to users when they don’t need it