Re: Best methods for preventing SSH allowing FTP
From: Scott Gerhardt (scott_at_g-it.ca)
Date: 08/20/03
- Previous message: Troy Settle: "RE: Best methods for preventing SSH allowing FTP"
- In reply to: Walter Hop: "Re: Best methods for preventing SSH allowing FTP"
- Next in thread: Blake Swensen: "Re: Best methods for preventing SSH allowing FTP"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Wed, 20 Aug 2003 14:32:49 -0600 To: Walter Hop <freebsd@walter.transip.nl>, Blake Swensen <blake@pyramus.com>
What about using /sbin/nologin and
/etc/login.access with the following entry (or similar):
-:ALL EXCEPT wheel:console
-:ALL EXCEPT wheel:ALL
This will deny shell access to all but wheel. Of course, you can add other
groups to make security more granular. The login.access provide a little
more security if you forget to set a "nologin" shell for an user.
Cheers,
--
Scott Gerhardt, P.Geo.
Gerhardt Information Technologies [G-IT]
On 8/20/03 12:09 PM, "Walter Hop" <freebsd@walter.transip.nl> wrote:
> [in reply to blake@pyramus.com, 20-8-2003]
>
>> Anyone have suggestions for the best methods for locking an account so
>> that a user or a group can only ftp/POP/IMAP and prevent all other
>> access.
>
> We make use of two special shells to limit access and make it more clear
> what an account is used for. These are just shell scripts:
>
> /usr/local/bin/ftponly
> /usr/local/bin/mailonly
>
> They just contain something like this:
>
> #!/bin/sh
> echo "No SSH login allowed."
> exit 1
>
> For FTP accounts, we set the user's shell to /usr/local/bin/ftponly.
> The FTP daemon by default checks if the shell is in /etc/shells so we have
> added the ftponly shellscript to /etc/shells. When people would SSH in,
> they'd get the "No SSH login allowed" message.
>
> For mail accounts, we set the user's shell to /usr/local/bin/mailonly.
> We have not added this shell to /etc/shells, so FTP and SSH login are
> disallowed while our mailserver (uw-imap and pop3) does not care about
> this. The 'mailonly' shell is never executed, it is just there to make
> administration easier.
>
> cheers,
> walter
>
> _______________________________________________
> freebsd-isp@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-isp
> To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org"
-- Scott Gerhardt, P.Geo. Gerhardt Information Technologies [G-IT] _______________________________________________ freebsd-isp@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-isp To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org"
- Previous message: Troy Settle: "RE: Best methods for preventing SSH allowing FTP"
- In reply to: Walter Hop: "Re: Best methods for preventing SSH allowing FTP"
- Next in thread: Blake Swensen: "Re: Best methods for preventing SSH allowing FTP"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
