Server external acess security

1

I’m setting up my own home Raspberry Pi server/NAS and I’m looking to be able to access outside the home network. This has however prompted me to rethink the whole setup.

I have an external HDD connected to the Raspberry Pi, that holds all relevant data that I want to manage/share.

I have the vsftpd creating an FTP server for the home LAN, btsync syncing a specific server folder, the transmission daemon managing downloads, and I’d like to be able to access the FTP data with SFTP.

I have two major concerns:

  1. User management. Is it advisable to have each service/daemon run by a single user with restricted permissions within each context, or a normal user (obviously not root) running all the services?

  2. Write permissions. How would one disable writing when acessing over SFTP via the Internet. And how can I limit FTP access to just a single folder/user home folder?

joaocandre

Posted 2015-03-04T19:54:43.250

Reputation: 535

Do you want SFTP or FTPS? vsftpd is an FTP/FTPS server, not an SFTP server. – Kenster – 2015-03-04T20:42:28.480

SFTP, I have sshd running and use it to access the server when I'm not at home. The FTP server would just be for use within the LAN. – joaocandre – 2015-03-04T20:50:46.457

Answers

1

Short Answer

  1. Each service should have its own user.

  2. (not sure if I understand) Change permissions on the files/directories you don't want the user have the ability to write to. You're looking for a chroot jail.

Long Answer

  1. You should be running each service from their own respective user. For example, most packages installed in Arch Linux do this automatically, creating their own user upon install. If someone gets access to the one user running all the services they would have access to all there services. If you SSH into your server and you ever need to modify the one of the services as that user you can just

  2. A chroot jail locks a user into a directory and its sub directories when they SSH/SFTP into the server. More information on how to do this can be located here: http://allanfeid.com/content/creating-chroot-jail-ssh-access and https://wiki.archlinux.org/index.php/SFTP_chroot.

Hope that helps.

Edit 1

I would suggest using something like deluge. It has a webui you can use to set it up. You could then create a downloads directory with only read permissions and a torrent directory with write permissions. Deluge will automatically add any .torrent files in the torrent directory to be downloaded once setup to do so. BAM, any user can add torrents to automatically be downloaded and all users can access those downloads.

A nifty side note (never tried it so I don't know if it actually works) is you can also create users with read only permissions in the deluge webui so they can watch their torrent being downloaded. http://dev.deluge-torrent.org/wiki/UserGuide/Authentication

Fallen

Posted 2015-03-04T19:54:43.250

Reputation: 79

Very helpful. My main confusion came from having, for example, a Downloads folder that needs to be co-owned by multiple users if I want to access it from outside, while simultaneously being able to download torrents into it. – joaocandre – 2015-03-05T00:18:46.073

Asked: 2015-03-04T19:54:43.250

Viewed: 64 times

Active: 2015-03-05T17:39:42.260