# Setting Up A Shell Server

## Joe_Astor

Hi there.

I am thinking about setting up a shell server and having it hosted at my ISP's Datacentre.

I have a list of IPs and vhosts set up and configured, what I would like to know is how I can set up the server so that certain IP addresses can only be used on the internet by certain users.

For example,

xxx.xxx.xxx.1 - admin.domain.tld

xxx.xxx.xxx.2 - joe.domain.tld

xxx.xxx.xxx.3 - jase.domain.tld

How could I set up the server so only user joe can use admin.domain.tld, or joe.domain.tld, and only user jase can use jase.domain.tld, and so on and so forth?

Also I'd like the server set up so it can only be logged into via ssh on one set IP address.

I know it can be done, a friend of mine has had his server set up like this in the past, but I can't get in contact with him to ask how he set things up.

Any help would be greatly appreciated.

----------

## badchien

I don't understand what you are saying. This is only a 'shell' server? or are you wanting to do webhosting for something?

 *Quote:*   

> How could I set up the server so only user joe can use admin.domain.tld, or joe.domain.tld, and only user jase can use jase.domain.tld, and so on and so forth? 

 Use the hostname for what/in what way? If this is a shell server, this makes no sense.

 *Quote:*   

> Also I'd like the server set up so it can only be logged into via ssh on one set IP address. 

 Are you saying you want sshd listening on only one IP (assuming the server has muliple IP's), or you only want to allow ssh connections from one set IP?

----------

## Joe_Astor

I am planning to set up a shell server for friends to use vhosts on IRC.

But some of the IP addresses will be assigned with private domains, which are owned by the users.

They have set up with their domain hosting companies or what have you, for their domain names to point to certain IP addresses on my box, and my box will handle reverse DNS lookups for those IPs.

Which is why I would like to know if I can make some IPs 'private' to selective users.

So in a range of IP addresses, only one user can use IP #1, if anyone else tried to use that IP address, connection to the outside world would be blocked by the server.

Do you understand better what I would like now? (Hope so! lol)

----------

## someone19

 *Joe_Astor wrote:*   

> I am planning to set up a shell server for friends to use vhosts on IRC.
> 
> But some of the IP addresses will be assigned with private domains, which are owned by the users.
> 
> They have set up with their domain hosting companies or what have you, for their domain names to point to certain IP addresses on my box, and my box will handle reverse DNS lookups for those IPs.
> ...

 

Ok...   first off in your /etc/ssh/sshd_config file put ListenAddress IP and now ssh will only work on that one IP.

Now, for sake of argument, if joe only knows of joe.domain.tld, and its associated IP address, and jase only knows about jase.domain.tld, what does it matter if joe can log in if he miraculously finds that jase.domain.tdl and thinks to try to log in using that IP, and finds himself in his familiar old shell as if he logged in from his IP...?  what are the chances / ramifications of using another IP, it won't get joe into jase's home folders if he goes in from the 'wrong' IP.

A less informed individual would call this a security risk, but no more than if everybody had their own folders under one domain...  which is exactly what is happening now.  If _I_ were setting this server up, I would not tell the other users about each other's existance on this server, and wouldn't think twice about multi-logins.

my 2c

----------

## Joe_Astor

 *someone19 wrote:*   

>  *Joe_Astor wrote:*   I am planning to set up a shell server for friends to use vhosts on IRC.
> 
> But some of the IP addresses will be assigned with private domains, which are owned by the users.
> 
> They have set up with their domain hosting companies or what have you, for their domain names to point to certain IP addresses on my box, and my box will handle reverse DNS lookups for those IPs.
> ...

 

Ok, lets say for the sake of argument, I wanted to set a shell server up for business purposes.  I'd want the users to have a list of IPs/Vhosts that are available to them.

Some users might like to have their own personal domains used as a vhost for IRC, therefore those users should only be able to use that IP/vhost themselves. How can I set up a listing system that will list IP addresses that that one user has access to, without having to make a seperate list for each individual user.

And usually when a shell server uses IP addresses, it normally uses blocks of 20-50 IPs, for example 203.96.16.10 -> 203.96.16.60.  How can I stop users from setting bnc/psybnc or whatever their bouncer is to use vhosts they shouldn't have access to (like someone else's personal domain)

----------

## someone19

 *Joe_Astor wrote:*   

> Ok, lets say for the sake of argument, I wanted to set a shell server up for business purposes.  I'd want the users to have a list of IPs/Vhosts that are available to them.
> 
> Some users might like to have their own personal domains used as a vhost for IRC, therefore those users should only be able to use that IP/vhost themselves. How can I set up a listing system that will list IP addresses that that one user has access to, without having to make a seperate list for each individual user.
> 
> And usually when a shell server uses IP addresses, it normally uses blocks of 20-50 IPs, for example 203.96.16.10 -> 203.96.16.60.  How can I stop users from setting bnc/psybnc or whatever their bouncer is to use vhosts they shouldn't have access to (like someone else's personal domain)

 

How would I, user Joe, even know that jase exists on the same box...?  I wouldn't even think that joe could use my IP to log on.  AND Joe would not even know that they could log on using my IP.  

A Dirty way might be to have a script run in .bashrc that post login checks the ip the shell is being bound to, and if not the correct IP then it automatically drops the connection...   However savy users would find this behaviour suspicious and look at their shell scripts in 'their' shell and find / edit the script.

I might understand wrong - Are you trying to make it so that only one individual person on the net can connect to any service running on that 'private' IP...?  ie. joe and only joe can shell / www / ftp / etc on IPJOE...?  and the content joe wants public to the world will be on IPJOE2...?  If so that is a very ambitious privacy scheme...   The only way I could think of doing that would be everyone connects through ssh - shell, ftp, web, etc...  on the private IP's that is...  then you have a much tighter control over who connects on what IP, in what services, and if they don't have the right key pair then they don't even get to the passcode prompt.

As far as the users setting vhosts to other vhosts, again I defer to the human quality of ignorance...  how do I know that www.yahoo.com is actually a vhost of www.google.com and now I can make my dns entries point google.yahoo.com to google's IP.  what is preventing me from doing this when I have my own domain now...?  I can point to any Ip on the net, I only get the page I'm being directed to, and the www (or other server) should be smart enough if configured correctly, to 404 - page not found if not being requested with the URL www.google.com

----------

## jhmartin

You can't limit a user to a given outgoing  IP address short of implementing VMWare or Xen to emulate seperate machines.

----------

## Joe_Astor

Ok.  I'll try explaining this again using some real examples.

When I log into the shell of the provider I use at the moment, I can bring up a list of IP/Vhosts that are available to that entire server for use.

Like so;

IP Address    Virtual Host

===========================================================

67.159.12.2   shells.arf.net.nz

67.159.12.3   i.used.to.be.slow.now.im.ircspeed.net

67.159.12.4   everyone.avoided.us

67.159.12.5   smart.people.avoided.us

67.159.12.6   im.always.on-irc.org

67.159.12.7   the.police.avoided.us

67.159.12.8   shells.arfnet.org

67.159.12.9   akilled.from.arfnet.org

67.159.12.10  i.fly.arfnet.org

67.159.12.11  you.use.the.force.and.i.will.use.ircspeed.net

67.159.12.12  hundreds.bonked.us

67.159.12.13  dr.seuss.wrote.foxinsox.net

67.159.12.14  i.hate.foxinsox.net

67.159.12.15  completely.bonked.us

67.159.12.16  soxinfox.and.foxinsox.net

67.159.12.17  molly.never.bonked.us

67.159.12.18  good.looks.avoided.us

67.159.12.19  -unassigned-

67.159.12.20  smart.people.bonked.us

67.159.12.21  help.im.trapped.on-irc.org

67.159.12.22  barely.avoided.us

67.159.12.23  alyssa.milano.bonked.us

67.159.12.24  -unassigned-

67.159.12.25  jase.org.nz (private)

67.159.12.26  professor.snape.bonked.us (private)

67.159.12.27  avoided.us (private)

67.159.12.28  arfnet.org (private)

67.159.12.29  bonked.us (private)

67.159.12.30  foxinsox.net (private)

===========================================================

Now, obviously the (private) IP addresses are meant to only be used by particular users, the people those domains belong to, or who have asked that they have that vhost exclusively for themselves.

But on this server, there is nothing to stop people using my vhost jase.org.nz, or nothing to stop me using professor.snape.bonked.us, and so on and so forth.

I KNOW there is a way that the server, or firewall, can be set up so that only *I* could use my domain's vhost and the public vhosts, while stopping me from using another user's private vhosts, and so on and so forth.

I have seen a similar setup on a friend's shell server I have used in the past, but I can't get in contact with that friend these days, so I am hoping that someone here may know what I am after and be able to tell me what I need to read up on to learn how to set this sorta thing up myself in the future.

I know some major shell providing companies have this sort of thing on all their servers, but they usually dont like to share that sort of info heh.

----------

## jcornez

It sounds like you want to run multiple instances of sshd.  Set the ListenAddress parameter for the specific address where each sshd should listen and also set the AllowUsers to only allow those users that you want to access the server via that address.  Would this work for you?

----------

## jhmartin

That wouldn't help, as as user has access to all interfaces on a machine once logged in. There's no correlation between the interface used to log in with interfaces used to make outgoing connections.

----------

## jcornez

I guess I am not understanding exactly what you want.  Do you want so that once a user is logged in and they do

```
/sbin/ifconfig
```

or similar, that they can only see some of the interfaces, but not all?

What difference does it make?  I don't mean this rhetorically: what action that the user could perform (such as wget or netcat) needs to not able to use one outgoing link, but not another?  The routing table determines what link your packets will use.  So what are you really trying to accomplish?  Saying you want to restrict certain users to certain IPs is more of a how than a what.

----------

## jhmartin

The use case here is IRC. The IRC server does a reverse lookup on your originating IP and shows you as user@host, and many people like to create vanity names, such as user@i.ownz.joo.com, even though such names are obviously invalid. Reverse-DNS is based on your IP address of course.  

So, the poster wants to have several interfaces on his host such that he can host several of these vanity names, but doesn't want user A who paid for name AA to be able to originate connections to the IRC server from the ip address corresponding to name BB, paid for by user B.

----------

## BinaryAlchemy

If it's outgoing connections you want to control, look at the --uid-owner option for iptables. It will allow you to match based on the owner of the process initiating the connection.

----------

