Linux restricted administration

One of the challenges when adding a user in Linux environment is when you need to precisely define what they can or can not do. Some may find configuring authorisation in Linux a bit complicated. In my case I needed to add a user with privilege to execute some commands with sudo but without full root access.

The first thing is to create the user we want to customise:
adduser jack

and then create the key and later pass the id_rsa to him:

ssh-keygen -t dsa
mkdir jack/.ssh
chmod 700 jack/.ssh/
cp id_rsa.pub jack/.ssh/authorized_keys
chmod 600 jack/.ssh/authorized_keys
chown -R jack:jack jack/.ssh

Then you should edit the sudoers:

visudo -f /etc/sudoers.d/developers-configs
User_Alias DEVELOPERS = jack,john

Cmnd_Alias SEELOGS = /usr/bin/tail /var/log/nginx/*.error, /usr/bin/tail /var/log/nginx/*.access, /bin/grep * /var/log/nginx/*.error, /bin/grep * /var/log/nginx/*.access

Cmnd_Alias EDITCONFIGS = /bin/vi /etc/nginx/site.d/*.conf, /usr/bin/nano /etc/nginx/site.d/*.conf, /bin/cat /etc/nginx/site.d/*.conf

Cmnd_Alias RESTARTNGINX = /sbin/service nginx status, /sbin/service php-fpm status, /sbin/service nginx restart, /sbin/service nginx configtest, /sbin/service php-fpm restart

DEVELOPERS ALL = NOPASSWD: SEELOGS,EDITCONFIGS,RESTARTNGINX

We just create DEVELOPERS as alias for users and SEELOGS, EDITCONFIGS, RESTARTNGINX as alias of commands the user can excute; and then assigned SEELOGS, EDITCONFIGS and RESTARTNGINX privilages to DEVELOPERS. If you want users to be prompted for password you can remove the “NOPASSWD:” part.

Please note that depends on your OS you may need to add the user in “/etc/ssh/sshd_config” … for example “AllowUsers jack”.

Advertisements

Installing and Configuring Open VPN access server on Amazon EC2 instance

Alright, in this post we are going to prepare an openvpn server.

*Just note that openVPN access server comes with 2 user free license only and if you have more than 2 users at the same time you need to buy license (for 99$ per year per user if I am not wrong).

Download the rpm and install it:

sudo yum install -y http://swupdate.openvpn.org/as/openvpn-as-2.0.12-CentOS6.x86_64.rpm 

Once it is installed it might launch auto configuration script, just cancel it cause my experience with installing openVPN default configurations on Amazon EC2 end up with some errors. To avoid that we need to change some configurations in auto-config script:

vi /usr/local/openvpn_as/bin/_ovpn-init

And change the configurations to following (you need to add –distro redhat in two lines cause this script can not detect destro):

/usr/local/openvpn_as/scripts/openvpnas_gen_init --distro redhat
/usr/local/openvpn_as/scripts/openvpnas_gen_init --auto --distro redhat

and finally just run the ovpn initialiser script:

sudo /usr/local/openvpn_as/bin/ovpn-init --ec2 --verbose

and just keep following the wizard like prompts (I know its not windows!!). By default this script will add openvpn user with the password you define in the wizard!
You can later simply login to access server using https://ovpn.yourdomain.com/admin/ for administration.

openvpn

Once you are in admin panel go to “Server Network Settings” and “User Permissions” to change default configurations or add/edit users.