west one said:
I have a group of accounts, Group A, who i do not what to allow internet access (e.g. access to internet - e.g. as per request of client, or cheaper plans.)
I have the rest of our accounts, Group B, which I want treated normally. (normal plans).
Group A would use IP Address A, Default Gateway A, Firewall Script A, and Nameservers A.
Group B, would use IP address B, Default Gateway B, and NameServers B.
How would i set this up on 1 VPS?
It's important that I meet my clients needs, as it is them who are requesting that particular accounts (used for their own reasons) not have outbound access to the internet.
Is this possible? and what alternatives are there to doing it?
Your post does not make any logical sense whatsoever!
(Don't worry ... I still think I am following what you are asking enough to be able to help.
If you had "no outbound access
" or "access to the internet
" then your hosting accounts would not work at all. At first glance, I thought you might be setting up some kind of split configuration for both simultaneous local lan
and remote internet
use for different accounts but that is apparently not the case I see after looking at your post a bit closer ...
west one said:
We don't want users uploading foreign scripts that make outbound connections to other servers, flooding, hacking, and DoS attacks.
The accounts that will have no outbound access (but still have inbound access) will be student and charity hosting accounts for example
As best as I can understand, you simply want to restrict certain accounts from being able to make external network connections from uploaded scripts and are also concerned about general security? Is that correct? If so, I am sorry to say that no level of security would guarantee this with certainty but there are things you can do to get very close to what you ask particularly in terms of protecting your server and restricting most scripts from making network connections and preventing your server from being used as an attack vehicle or being attacked itself.
The biggest thing you will probably want to do is setup your PHP to use custom PHP configurations for all accounts and have those configurations pull settings for 2 (or how ever many variations you want
) configuration groups. In one, you could leave accounts more open and in the other you could disable socket and network connection functions and block "allow_url_fopen
" and "allow_url_include
". For those accounts, you will also likely want to disable Perl access and limit .htaccess commands. You will want to block SSH and cron access and, you should also restrict GET, lynx, and wget use at the system level to root and cpanel use only.
Back on the subject of restricting scripts from making network connections ...
It is surprisingly simple to implement this and though it may sound complicated from what I said above, is actually much easier than it sounds and contrary to your post, it is not necessary to play around with various gateways, packet filters, etc (although there are a few tweaks you could do there too). I actually have a number of clients where I have helped them with similar configurations and at my company we also use something like this as well because one of our projects incorporates a free hosting service that uses the same servers as another commercial hosting project we operate. The commercial service accounts are more open will those setup under the free host are heavily restricted in much of the manner I just described above as well as let's just say "a few optional extras" *GRIN* :D
The underlying theme I am really getting from your post seems to be really a concern for your server's security. If that be the case, you did right coming here as I was widely recognized as one of the very top experts on the subject until I got hit with cancer a few years ago and was off the scene for a while and now back in full force and rapidly rebuilding my former reputation. However, having access to me is not the only reason I say you came to the right place because I am not the only person here at the top of my field where it comes to computer network and server security. Some of the other guys here such as Chirpy
, and many others (who I apologize if I didn't name by name) whom I have known long enough directly or indirectly to vouch for their knowledge and skills. If you do a few forum searches for any of our past posts (myself or any of the people I named above
), you will find some very good information on how to secure your server and a lot of really good tips and I do recommend you take a close look at those as it will really help a lot with what you are asking. In addition, you may want to look into setting up among other things, these items ...
PHP : Running under SuPHP w/ SuHosin (Locked custom PHP.INI configs)
PERL / Python : Disabled for general users
Restrict abuseable system commands and network functions
Reconfigure PortSentry to actually work better
Mount /TMP partitions and folders as non-setuid and non-executable.
Install APF / CSF Firewall (Chirpy's CSF Firewall is more recommended)
Mod_Security w/ better ruleset such as from GotRoot.Com
Mod_Evasive for Apache (Helps a lot with web based DoS attacks)
A decent RootKit detector / scanner for abusive scripts, etc
For now though, if you need a hand setting up anything you asked about or anything mentioned above, contact me by private message and I'll be glad to give you some scripts and some more detailed instructions and tips that might help. I would post that here but it might be a little bit long to retype in a public thread although if there is enough interest, I might go ahead and start a new thread covering the discussion of some of the things you asked about.