0

I am using below command to create a simple http server so that end users can download files on the unix server directly using the URL. But this is kinda risky and i need to implement a user restriction process so that security is not compromised.

python -u -m http.server 8000 &> log_file & echo $! > pid_file

My plan is to capture the userids/usernames in the logs and then use a logic to ban those users from accessing the webserver session. But I am stuck at capturing the userids/names. Is there a way to implement this ? Or anybody has any other ways to achieve the end goal?

cat log_file 10.166.00.000 - - [16/Feb/2023 03:54:14] "Get / HTTPS/1.1" 200 - 10.166.22.000 - - [16/Feb/2023 03:54:14] "Get /Folder HTTPS/1.1" 200 -

expected output ~ something like this maybe, or as long as it captures username

10.166.00.000 - username1 - [16/Feb/2023 03:54:14] "Get / HTTPS/1.1" 200 - 10.166.22.000 - username2 - [16/Feb/2023 03:54:14] "Get /Folder HTTPS/1.1" 200 -

shanaya sharma
  • 1
  • 1
  • Many ways to do that, it all depends if you have anything existing for user management. One way could be to setup an Apache httpd server. Each user has its own download directory so you can setup a basic auth on these directories. Or you code an application which runs in Apache (ex. in PHP) to verify user - password before access if given. Or give access to specific directories/files via `scp`. Or setup an sftp server. Or ... – Nic3500 Feb 17 '23 at 19:52

1 Answers1

0

You could consider looking at

/etc/security/access.conf

to define privileges for remote access.

Example (buttoned-up host):

### Permit root login from local    
+:root:LOCAL localhost myHostName
#
###     Permit designated users to access from local
+:myUserName:LOCAL localhost myHostName
#
###     Permit all local services/users to access from local
#+:ALL:LOCAL localhost myHostName
+:ALL:LOCAL ALL
#
### Deny access to all from any remote
-:ALL:ALL

Example (allow remote access):

+:user20:ALL ALL +:user30:ALL ALL +:(group_name):ALL ALL

Also, you should look at:

/etc/ssh/ssh_config

Sample setup:

#####################################

###     Group 1 - Restrictive
    PermitRootLogin no                          ## OasisAdmin
    ForwardAgent no                             ## OasisAdmin
    ForwardX11 no                               ## OasisAdmin
    ForwardX11Trusted no                        ## OasisAdmin
    DenyUsers root                              ## OasisAdmin
    DenyGroups root                             ## OasisAdmin

###     Group 2 - Permissive
    AllowUsers nonexistent                      ## OasisAdmin
    AllowGroups nonexistent                     ## OasisAdmin

###     Deploy any modifications using:  systemctl restart sshd
Eric Marceau
  • 1,601
  • 1
  • 8
  • 11