Re: Best methods for preventing SSH allowing FTP

From: Aaron Daubman (daubman_at_ll.mit.edu)
Date: 08/20/03

Next message: Andy Harrison: "Re: Best methods for preventing SSH allowing FTP"

Previous message: Scott Blaydes: "Re: Best methods for preventing SSH allowing FTP"
In reply to: Scott Blaydes: "Re: Best methods for preventing SSH allowing FTP"
Next in thread: Andy Harrison: "Re: Best methods for preventing SSH allowing FTP"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date: Wed, 20 Aug 2003 12:12:34 -0400
To: FreeBSD ISP List <freebsd-isp@freebsd.org>

Just be careful of certain FTP programs if you take this approach.

For ProFTPD, you would then need to set 'RequireValidShell off' in the
conf file.

The method I use is a combination of this and others. It might be
worthwhile to re-think this, as it can become a management nightmare for
large systems. It's worked fine for me so far, however.

Using group membership:
SSH:
AllowGroups allowssh
DenyGroups denyssh

ProFTPD (others might use /etc/ftpusers):
        <Limit LOGIN>
                DenyGroup denyftp
        </Limit>

Shell: /sbin/nologin

Mail: Everybody currently gets mail, but that could easily be changed by
moving to the sasl pw db instead of implementing PAM...

This gives the granularity of explicitly defining which groups of users
get access to what services...

..I'm sure I'm forgetting other settings, but that should give you a
good idea of the options available.

Most programs have built-in group as well as user permissions =)

Cheers,
~Aaron

Scott Blaydes wrote:

> Blake Swensen wrote:
>
>> Anyone have suggestions for the best methods for locking an account so
>> that a user or a group can only ftp/POP/IMAP and prevent all other
>> access.
>>
>> Blake
>
>
> Give them a shell of /bin/false. You will need to actually create a
> file called /bin/false, and add it to /etc/shells. That will allow
> ftp/pop/imap and not allow them to log in via telnet/ssh.
>
> Scott Blaydes
>
>
> _______________________________________________
> freebsd-isp@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-isp
> To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org"
>

_______________________________________________
freebsd-isp@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-isp
To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org"

Next message: Andy Harrison: "Re: Best methods for preventing SSH allowing FTP"

Previous message: Scott Blaydes: "Re: Best methods for preventing SSH allowing FTP"
In reply to: Scott Blaydes: "Re: Best methods for preventing SSH allowing FTP"
Next in thread: Andy Harrison: "Re: Best methods for preventing SSH allowing FTP"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]