LAN Architecture - Looking for Input

Question

I currently have a web server and a file server on my lan; both have static IP's on the LAN, and the router forwards inbound port 80 traffic to the web server, so the file server is only accessible internally.

I'm toying with the idea of writing a small PHP app that will let me interact with the file server via the web server. So, I wouldn't change anything at the router level - anyone scanning my public IP would still only find port 80 on the webserver.

My questions are pretty high level and don't necessarily have a "right answer". I can see a few ways of doing this, and then looking to open it up for input / ideas.

One is to exec ssh from the webserver to the fileserver, and just run shell commands via exec(ssh) that return directory listings, scp files that I upload, etc. This way is no better than giving someone root on my fileserver if they compromise my php front end, so I'm not too keen on that idea, but am considering it.

Another way would be to just duplicate the contents of the fileserver to the webserver drive, and sync them up periodically, but that's impractical and defeats the purpose of having a central file server, so I've pretty much already dismissed that idea.

That's about all I have so far. Anyone have thoughts or opinions?

Answer 1

You can setup a SFTP chroot jail. What this means is that an authorised account can SFTP in but never have access to a shell. You can also keep an eye on acces via lastlog as well as sshd logs.

Do configure your sshd for key-pair logins as well for the most security. The advantage is you can provide multiple access to a 'common' SFTP account - if the need arises. Just add all the public keys to the target accounts .ssh/authorized_keys2.

This should help: http://ubuntuforums.org/showthread.php?t=858475