Setting up a user with restricted SFTP access
If you are running a Debian Linux webserver you may want to create users that can upload and download files from specific directories via SFTP. This post will explain how to set this up. First you need to create a user. If you want to create a user with the name 'webdev' then login as root and use the following commands at the prompt.
useradd webdev
Now you want to set the password for the new user 'webdev'
passwd webdev
Now we can create a home directory with the following commands.
mkdir /home/webdev chown webdev:users /home/webdev
Now we only want this user to be able to login to the server via SFTP. We can do this by changing the users shell to sftp-server.
usermod -s /usr/lib/sftp-server webdev
Next we need to make the sftp-server a valid shell by adding the line "/usr/lib/stfp-server" at the end of the file shells in the etc directory.
By default, a new user will be assigned to a new group with the same name as the new user. So in our case the user 'webdev' will belong to the group 'webdev'. In order to make our new user the owner of any other directory including sub-directories (such as the website document root) we can execute the following command.
chown -R webdev:webdev /var/www
So now the new user webdev will be able to login va SFTP and have owner permissions to their home directory as well the webserver document root directory.
References: The following page has more useful information about managing groups and users in Linux.
Further Restrictions
In the example above we made the directory that holds the website belong to the group "webdev". If you have other users on the system that you do not want to have access to the website data then it could be wise to assign the www directory to the group "www-data" and remove read access for other system users to the directory www.
This is in order to limit access from users except the web server that runs under the user www-data.
For example:
usermod -a -G www-data webdev usermod -g www-data webdev chown -R :www-data /var/www chmod -R o-r /var/www
By doing the above, we have added the user webdev to the group www-data (the same user that Apache normally runs as). Then we make www-data the default group for the user webdev, whereafter we make the www directory belong to the www-data group and set the permissions such that the files in that directory are group-readable but not world-readable.
How to enable mod_rewrite in Apache 2 on Debian Linux
Simple! Just run the command
a2enmod rewrite
Restart Apache 2 by running the command
/etc/init.d/apache2 restart
Done!
...if you are still having problems getting mod_rewrite to work, check that the config file for the site (located in the directory /etc/apache/sites-available/) does not have "AllowOverride None". If it does then change it to AllowOverride All instead in order to allow mod_rewrite commands to be set in the .htaccess file.
Setting up a Linux VPS
Rimuhosting offer good VPS packages and have datacenters in various locations around the globe. The main reasons for staying with Rimuhosting have been ease of setting up the service, server reliability and the level of support they provide. The support saff at Rimuhosting are allways very helpful and go the extra mile to help you out.
Here I am going to show how to set up a Linux VPS from Rimuhosting for web and email hosting. The VPS will be running Debian Linux 5.0 32-bit with Apache, MySQL, PHP. The server configuration is 512MB RAM, 4GB Disk space, 100GB data transfer limit per month, with a Webmin control panel. On a London based server this costs £27 per month (or £324 per annum).
After ordering your VPS package you will receive an order confirmation and later a VPS Setup email specifying the IP address of the server. In this example it took 2 minutes between the order confirmation email and the VPS Setup email.
Apache comes pre-configured and running on these servers so all you need to do now is to put the new server's IP address from the VPS Setup email in the address bar of your browser and you'll get a web page saying "It works!".
Now we need to configure the server to work the way we want it to...
The first time you log in to Webmin at https://<your IP address>:10000/ you will get a Security Failed message if you are using Firefox (presumably the same or similar will happen in other browsers too). This is normal and happens only because the browser can't validate the security certificate with a certificate authority. Just add exception for this certificate by clicking the relevant buttons in the browser window.
Setting up the Apache 2 Webserver using Webmin
In Webmin (we are using Webmin 1.490) you can install the relevant servers under the "Servers" option in the main menu on the left. Since Apache is active by default we don't need to do anything under "Apache Webserver".
Setting up the MySQL Database Server using Webmin
Click on the "MySQL Database Server" option and click the button that says "Start MySQL Server". We now want to set up our database that will be used by our website. On the following page and under "MySQL Databases", click on "Create a new database".
Specify a new database with the default character set and with the name "webdata" or whichever other name you prefer. Click on the "Create" button.
Now that we have created the database we need to specify users that will have access rights to the database. Clicking on "User Permissions" will reveal that there is already a database user called "root" set up and this user will have the same password as your VPS root password.
We are going to set up two users - one that has administrator rights and that can connect to the database from any host (We'll use this user later to connect from the MySQL Administrator tool), and another user with limited rights that will be used by our webiste.
Click on "Create new user" and specify the username "adminuser", set a strong password, set host to "any", details select all permissions by holding down shift while selecting permissions from the list. The click the "Create" button.
Next do the same for the "webuser", except only specify the following permissions: select, insert, update, delete, drop, alter, create tables, create temp tables and lock tables. Under host, specify "localhost" instead of "any" for the webuser.
We now need to configure the MySQL server to accept connections from any host so that we can use the "MySQL Administrator" tool (that runs on your local computer) to connect to the database. Go to the "MySQL Server Configuration" page and select "Any" under "MySQL server listening address" instead of the default 127.0.0.1. Click on Save.
Now restart the MySQL database server by clicking the "Stop MySQL Server" button in Webmin and then click on "Start MySQL Server".
With, for example, the tool MySQL Administrator, you should now be able to remotely login to your MySQL database server as the user "adminuser".
Finally, check that the server is configured to start the MySQL server at boot. In Webmin, go to the "Bootup and Shutdown" section under the System menu. Check that the MySQL deamon is configured to start at boot, and if it isn't change the setting accordingly.
Remote Server Admin and File Upload
We use SSH instead of telnet and SCP instead of FTP as SSH and SCP are more secure. With SSH and SCP passwords and data are encrypted before being sent over the Internet, whereas telnet and FTP don't encrypt.
SSH provides a method for securely logging into your VPS in order to administrate your server. Nothing is required to set up SSH on your VPS as SSH is configured to run by default. In order to login via SSH you need a client and for this we reccommend PuTTY. It is a free tool that can be downloaded from the Internet.
If your development computer is a Windows PC, then we suggest using the tool WinSCP for uploading files to your server. SCP is also pre-configured on your server so nothing is required to set it up there.
Other Webserver Settings
You also might want to consider how to enable mod_rewrite.
The Cambridge Bicycle Doctor
For a business, a web-site is an essential tool. Your decision in whom to provide this for you is very important. Who can taylor match your individual requirements, problem-solve to make things happen and provide the follow up support to develop and maintain? These were my thoughts when making my own important choice.
Mr Arvind Shah of Esscotti has provided me with everthing I could ask. The service he provides is exemplary, on all levels. All varieties of web applications have been achived and the follow-up support always there when needed. I have asked for many web solutions, that I did not know could be achived, and they have been supplied. Arvind is excellent at converting your visions into a reality.
I give my full endorsement to Esscotti, don't hesitate to call for your own web-site, you won't be disappointed.
Mr Frank Cooke. www.thecambridgebicycledoctor.com & www.bikehireonline.com
The Dorfred Charitable Trust
"Having had a bad experience with someone else in trying to set up a website for our small charitable trust, I was recommended to Arvind Shah. This turned out to be a very different experience, as he soon showed himself to be not only efficient but sympathetic to our particular needs. I enjoyed working with him to ensure that the resulting website presented the information clearly, was attractive in appearance with well-positioned photographs, and user-friendly in terms of ease of accessibility to facts and contact details. Furthermore it was very reasonably priced! Arvind also provides "after-sales service" by making himself available for sorting out any problems.
I have no hesitation in recommending him to anyone looking to set up a workable and attractive website."
Philip Gardam
Founding Trustee
Bailey Mews Management Company
"The Bailey Mews Management Ltd website has been a great success since launch and has exceeded our expectations. The website incorporates everything we need to run our successful company and it has received very positive feedback from our shareholders, fellow professionals in the property sector, our tenants and the wider public. Through the website we publish all our property related documents, Management meeting minutes, quarterly newsletters, our Bailey Mews Social Contracts, our environmental policy, invitations to our Annual General Meeting and to all our social events.
The website is now our communities' preferred communication tool. Thank you for the professional service that has helped us to bring our Directors, UK and International owners and tenants, closer together, and in doing so making the management of our properties easier"
Mr Andrew Hughes, Chairman of the Board,
Bailey Mews Management Company
Woodside Rural Care
"I needed a web site and once having made up my mind, of course I needed it quickly. I have been involved in many businesses which have had need to commission web sites but rarely with such a successful outcome. As Director of a £60m VC company, NED and director of numerous start-ups and young companies, a co-worker with one of the UK’s Dragons and a business advisor to many enterprises – I know that we need quality service providers like this who apply their expertise and skills in an honest way such that one can trust that the end product is the best for ones business not just the gravy train for theirs!
In the course of our discussions Esscotti identified the best thing for me - that is what is needed for slick businesses which don’t want to waste money. I didn’t have an IT team to lean on this time and I needed help with making my web site look good and I needed it to be easy to use - that’s just what Esscotti gave me! The service offered has been superb, the communications comprehensive yet crystal clear and the result - completely geared to my needs.
- now that is a truly mutually beneficial business relationship such that I would not hesitate to recommend Esscotti to anyone else who wants something top class and geared to help them succeed rather than drain their resources.
Arvind, how lucky I was to be introduced to you! A great service and an optimal product!"
Dr Joy Duffen MAVetMB PhD DIBT IMC MRCVS
www.woodsideruralcare.org.uk
Alan Cooper Packaging
"Since using the services of Esscotti we have generated more interest in our site and have been very pleased with the continuous level of aftercare we receive ."
Alan Cooper
Alan Cooper Packaging
Cambridge Neuroscience
"Esscotti was employed to develop an events section within the Cambridge Neuroscience website. Cambridge Neuroscience is a research strategy initiative at the University of Cambridge which brings together over 600 neuroscientists working in over 60 different buildings across the city. The website therefore provides an important role in the dissemination of information across our diverse community whilst also providing a collective on-line presence.
Esscotti developed an open access, easy to administer, on-line tool for managing our Cambridge Neuroscience events. This events module can be modified in line with the requirements for each particular event. Arvind listened to our events website requirements, suggested ways to improve it were appropriate, and subsequently designed and developed a tool that has automated and streamlined the otherwise administratively laborious task of managing an event.
As a result of the success of Arvind's work on the Cambridge Neuroscience website we have also worked with him on a similar project for the British Neuroscience Association, again with success.
I highly recommend Arvind's work and hope to use Esscotti for future website developments."
Dr. Hannah Critchlow
Cambridge Neuroscience Coordinator