Securing CloudPanel on Ubuntu 24.04 Part 8
19/11/2024 19/11/2024 security 5 mins read
Table Of Contents
Part 8: User Access Management and Security Hardening #
Let’s create a comprehensive user security management system that integrates with CloudPanel.
# Create user security management scriptsudo nano /usr/local/bin/cloudpanel-user-security.sh#
#!/bin/bash
# Initialize paths and configurationCP_HOME="/home/clp"DB_PATH="${CP_HOME}/htdocs/app/data/db.sq3"LOG_DIR="${CP_HOME}/logs/security"
mkdir -p "$LOG_DIR"
# Function to get user information from CloudPanel databaseget_user_info() { sqlite3 "$DB_PATH" " SELECT u.id, u.user_name, u.role, u.email, u.mfa, u.status, GROUP_CONCAT(s.domain_name) as sites FROM user u LEFT JOIN user_sites us ON u.id = us.user_id LEFT JOIN site s ON us.site_id = s.id GROUP BY u.id;"}
# Function to get SSH user configurationsget_ssh_users() { sqlite3 "$DB_PATH" " SELECT ss.user_name, ss.ssh_keys, s.domain_name, s.user FROM ssh_user ss JOIN site s ON ss.site_id = s.id;"}
# Function to enforce user security policiesenforce_user_security() { echo "Enforcing user security policies..."
while IFS='|' read -r user_id username role email mfa status sites; do echo "Processing security for user: $username"
# Check and enforce MFA status if [ "$mfa" -eq 0 ]; then log_security_warning "$username" "MFA not enabled" enforce_mfa_requirement "$user_id" "$username" fi
# Configure user access restrictions configure_user_access "$username" "$role" "$sites"
# Set up user activity monitoring setup_user_monitoring "$username" "$role" done < <(get_user_info)}
# Function to enforce MFA requirementenforce_mfa_requirement() { local user_id="$1" local username="$2"
echo "Enforcing MFA for user: $username"
# Log MFA requirement sqlite3 "$DB_PATH" " INSERT INTO notification ( created_at, updated_at, severity, subject, message, is_read ) VALUES ( datetime('now'), datetime('now'), 'warning', 'MFA Required', 'MFA enablement required for user: $username', 0 );"}
# Function to configure SSH accessconfigure_ssh_access() { echo "Configuring SSH access..."
while IFS='|' read -r ssh_user ssh_keys domain site_user; do local user_home="/home/$site_user" local ssh_dir="$user_home/.ssh"
echo "Setting up SSH access for $ssh_user on $domain"
# Create SSH directory with proper permissions mkdir -p "$ssh_dir" chmod 700 "$ssh_dir"
# Configure authorized keys echo "$ssh_keys" > "$ssh_dir/authorized_keys" chmod 600 "$ssh_dir/authorized_keys" chown -R "$site_user:$site_user" "$ssh_dir"
# Configure SSH restrictions cat >> "/etc/ssh/sshd_config.d/$ssh_user.conf" <<EOFMatch User $ssh_user ChrootDirectory $user_home ForceCommand internal-sftp AllowTcpForwarding no X11Forwarding no PasswordAuthentication noEOF done < <(get_ssh_users)
# Restart SSH service systemctl restart sshd}
# Function to configure user access controlsconfigure_user_access() { local username="$1" local role="$2" local sites="$3"
echo "Configuring access controls for $username"
# Set up role-based access restrictions case "$role" in "admin") setup_admin_access "$username" ;; "user") setup_user_access "$username" "$sites" ;; *) echo "Unknown role: $role" return 1 ;; esac}
# Function to set up admin accesssetup_admin_access() { local username="$1"
# Configure sudo access for admin users echo "$username ALL=(ALL:ALL) NOPASSWD: /usr/local/bin/cloudpanel-*" > "/etc/sudoers.d/$username" chmod 440 "/etc/sudoers.d/$username"}
# Function to set up regular user accesssetup_user_access() { local username="$1" local sites="$2"
# Create restricted access configuration for site in ${sites//,/ }; do local site_path="/home/clp/htdocs/$site"
# Set up ACLs for site access setfacl -R -m "u:$username:rx" "$site_path" setfacl -R -m "d:u:$username:rx" "$site_path" done}
# Function to setup user activity monitoringsetup_user_monitoring() { local username="$1" local role="$2"
# Configure audit logging for user actions auditctl -w "/home/$username" -p warx -k user_files
# Set up process monitoring cat > "/etc/systemd/system/user-monitor-$username.service" <<EOF[Unit]Description=User Activity Monitor for $usernameAfter=network.target
[Service]ExecStart=/usr/bin/auditd -f -nStandardOutput=append:${LOG_DIR}/user-${username}.logStandardError=append:${LOG_DIR}/user-${username}-error.log
[Install]WantedBy=multi-user.targetEOF
systemctl daemon-reload systemctl enable "user-monitor-$username" systemctl start "user-monitor-$username"}
# Function to log security eventslog_security_event() { local username="$1" local message="$2" local level="$3"
echo "[$(date '+%Y-%m-%d %H:%M:%S')] [$level] $username: $message" >> "${LOG_DIR}/security-events.log"
# Add to CloudPanel event log sqlite3 "$DB_PATH" " INSERT INTO event ( created_at, user_name, user_role, event_name, event_data ) VALUES ( datetime('now'), '$username', '$role', 'security_event', '$message' );"}
# Main executionmain() { echo "Starting user security management..."
# Create backup of current configurations backup_date=$(date +%Y%m%d_%H%M%S) backup_dir="${CP_HOME}/backups/user_security_${backup_date}" mkdir -p "$backup_dir"
# Enforce security policies enforce_user_security
# Configure SSH access configure_ssh_access
echo "User security management completed successfully"}
main "$@"This script provides:
- Comprehensive user security management based on CloudPanel’s database structure
- MFA enforcement and monitoring
- Role-based access control implementation
- SSH key management and restrictions
- User activity monitoring and logging
- Integration with CloudPanel’s event and notification systems