RE: Best methods for preventing SSH allowing FTP

From: Troy Settle (troy_at_psknet.com)
Date: 08/20/03

  • Next message: Scott Gerhardt: "Re: Best methods for preventing SSH allowing FTP" 
    To: "'Blake Swensen'" <blake@pyramus.com>
Date: Wed, 20 Aug 2003 14:18:21 -0400

    Once upon a time, I used /usr/bin/passwd as the shell (users could
    telnet/ftp in to change their passwords). I then started using
    /usr/bin/false. I now use /sbin/nologin.

    On my primary mail and ftp machines, I no longer use the system passwd
    facility to manage user accounts, it's all in a MySQL database, which my
    billing software manages directly using ODBC. 

    --
  Troy Settle
  Pulaski Networks
  http://www.psknet.com
  540.994.4254 ~ 866.477.5638
  Pulaski Chamber 2002 Small Business Of The Year
  
> -----Original Message-----
> From: owner-freebsd-isp@freebsd.org 
> [mailto:owner-freebsd-isp@freebsd.org] On Behalf Of Walter Hop
> Sent: Wednesday, August 20, 2003 2:09 PM
> To: Blake Swensen
> Cc: FreeBSD ISP List
> Subject: Re: Best methods for preventing SSH allowing FTP
> 
> [in reply to blake@pyramus.com, 20-8-2003]
> 
> > Anyone have suggestions for the best methods for locking an 
> account so
> > that a user or a group can only ftp/POP/IMAP and prevent all other
> > access.
> 
> We make use of two special shells to limit access and make it 
> more clear
> what an account is used for. These are just shell scripts:
> 
> /usr/local/bin/ftponly
> /usr/local/bin/mailonly
> 
> They just contain something like this:
> 
>     #!/bin/sh
>     echo "No SSH login allowed."
>     exit 1
> 
> For FTP accounts, we set the user's shell to /usr/local/bin/ftponly.
> The FTP daemon by default checks if the shell is in 
> /etc/shells so we have
> added the ftponly shellscript to /etc/shells. When people 
> would SSH in,
> they'd get the "No SSH login allowed" message.
> 
> For mail accounts, we set the user's shell to /usr/local/bin/mailonly.
> We have not added this shell to /etc/shells, so FTP and SSH login are
> disallowed while our mailserver (uw-imap and pop3) does not care about
> this. The 'mailonly' shell is never executed, it is just there to make
> administration easier.
> 
> cheers,
> walter
> 
> _______________________________________________
> freebsd-isp@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-isp
> To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org"
> 
_______________________________________________
freebsd-isp@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-isp
To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org"
  • Next message: Scott Gerhardt: "Re: Best methods for preventing SSH allowing FTP"

    Relevant Pages