RE: Best methods for preventing SSH allowing FTP
From: Troy Settle (troy_at_psknet.com)
Date: 08/20/03
- Previous message: Evren Yurtesen: "(more info) YP/NIS server in 4.8 and client 5.1 problem (fwd)"
- In reply to: Walter Hop: "Re: Best methods for preventing SSH allowing FTP"
- Next in thread: Scott Gerhardt: "Re: Best methods for preventing SSH allowing FTP"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
To: "'Blake Swensen'" <blake@pyramus.com> Date: Wed, 20 Aug 2003 14:18:21 -0400
Once upon a time, I used /usr/bin/passwd as the shell (users could
telnet/ftp in to change their passwords). I then started using
/usr/bin/false. I now use /sbin/nologin.
On my primary mail and ftp machines, I no longer use the system passwd
facility to manage user accounts, it's all in a MySQL database, which my
billing software manages directly using ODBC.
-- Troy Settle Pulaski Networks http://www.psknet.com 540.994.4254 ~ 866.477.5638 Pulaski Chamber 2002 Small Business Of The Year > -----Original Message----- > From: owner-freebsd-isp@freebsd.org > [mailto:owner-freebsd-isp@freebsd.org] On Behalf Of Walter Hop > Sent: Wednesday, August 20, 2003 2:09 PM > To: Blake Swensen > Cc: FreeBSD ISP List > Subject: Re: Best methods for preventing SSH allowing FTP > > [in reply to blake@pyramus.com, 20-8-2003] > > > Anyone have suggestions for the best methods for locking an > account so > > that a user or a group can only ftp/POP/IMAP and prevent all other > > access. > > We make use of two special shells to limit access and make it > more clear > what an account is used for. These are just shell scripts: > > /usr/local/bin/ftponly > /usr/local/bin/mailonly > > They just contain something like this: > > #!/bin/sh > echo "No SSH login allowed." > exit 1 > > For FTP accounts, we set the user's shell to /usr/local/bin/ftponly. > The FTP daemon by default checks if the shell is in > /etc/shells so we have > added the ftponly shellscript to /etc/shells. When people > would SSH in, > they'd get the "No SSH login allowed" message. > > For mail accounts, we set the user's shell to /usr/local/bin/mailonly. > We have not added this shell to /etc/shells, so FTP and SSH login are > disallowed while our mailserver (uw-imap and pop3) does not care about > this. The 'mailonly' shell is never executed, it is just there to make > administration easier. > > cheers, > walter > > _______________________________________________ > freebsd-isp@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-isp > To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org" > _______________________________________________ freebsd-isp@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-isp To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org"
- Previous message: Evren Yurtesen: "(more info) YP/NIS server in 4.8 and client 5.1 problem (fwd)"
- In reply to: Walter Hop: "Re: Best methods for preventing SSH allowing FTP"
- Next in thread: Scott Gerhardt: "Re: Best methods for preventing SSH allowing FTP"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
