Hi,

Infrastructure:
I have my Apache web server running on OpenSuse 11.3. This server is used by my team to upload new applications we build for the clients. There are around 15 people who access the server on daily basis. Right now everyone uses the same FTP ID and Password.

Problem:
There have not been any issues till date but unfortunately 10 days back my network was hit by a Malware. The malware stole the FTP password of my OpenSuse server and updated several number of files. I am still correcting the files

The problem happened because everyone used the same ID - "webadministrator" which is a member of my "Apache Web Users" web user group. So if someone gets access to password of this id, he gets access to every file in the htdocs folder.

Requirement/Query:
What I want now is to limit the damage if any such password theft happens again. In order to achieve this, I wanted to create a new FTP ID and Password for each new application we build and assign access to only the files corresponding to that application, but when I do this, my application is not accessible over internet as that new ID is not member of "Apache Web Users" group. The catch is, if I make the IDs member of "Apache Web Users" group then they automatically get execute access and several other accesses to other applications as well.

Can you please suggest how to overcome this problem.

I cannot afford getting into this trouble again.

Regards,

Nitin