Thanks to everyone (Michael A. Crowley, Martin Mokrejs, Christophe Colle,
Richard Eisenma, Hans Kowallik, Thomas Strandenaes, Dave Tetreault, Stan
Horwitz) who answered my embarrassingly amateurish query regarding
user-by-user login restriction.
The general consensus seemed to be:
1. Give the users a non-existant shell (eg: /bin/false) and add that fake
shell to the /etc/shells file to permit FTP logins.
2. Use TCP Wrappers for general network security (ibelieve this package has
excellent logging and domain restriction features for network services run
through inetd).
Thanks again,
ian
------------------------------------------
From: "Michael A. Crowley" <mcrowley_at_mtholyoke.edu>
Install the login program in the logdaemon package:
ftp ftp.win.tue.nl # pub/security/
There are many many reasons to use this over the normal DU or Ultrix
login program. You get better control, better logging, etc.
There is also an ftpd with it but I have never used that.
It is also good to install the tcp/ip wrappers (same location).
-mike
------------------------------------------
From: Martin Mokrejs <mmokrejs_at_prfdec.natur.cuni.cz>
ftp access you can easily deny/allow using /etc/ftpusers file. With
telnet, that's a problem. Most efective would be including 'logout'command
into their .login
------------------------------------------
From: Christophe Colle <colle_at_pandora.be>
Hi,
Give the majority of your users a /bin/falss as login shell... This will
prevent them from logging in with a shell in your machine. Don't forget to
add /bin/false in the /etc/shells file (if it exists) or they won't be
able to log in with ftp.
I hope this helps....
Christophe
------------------------------------------
From: "Richard Eisenman" <eisenman_at_tricity.wsu.edu>
I recommend using tcp wrappers for general security work.
------------------------------------------
From: Hans Kowallik <kowallik_at_SDSC.EDU>
For ftp access only use a invalid shell (/bin/false) and people won't be
able to use telnet.
Hans
------------------------------------------
From: "Thomas.Strandenaes" <thostr_at_fagmed.uit.no>
Easy,
give FTP-only users a dummy shell, and give the rest a real shell (in
/etc/passwd).
Have a nice day.
--
//thomas
------------------------------------------
From: Dave Tetreault <davet_at_uriacc.uri.edu>
Give the users who need ftpaccess only a shell that doesn't exist such as
/bin/ftponly. Put this in /etc/shells so that they will be allowed to ftp.
If they attempt to telnet in they will be logged right out.
------------------------------------------
From: Stan Horwitz <stan_at_thunder.ocis.temple.edu>
A public domain package called tcpwrappers will do exactly what you want.
This package is highly recommended by must Unix/network security experts
and its very easy to install and totally transparent to users. Its fairly
easy to find by doing a Web search, but if you should have any difficulty
find it, let me know and I will look up the URL for you when I am in my
office later.
------------------------------------------
- - - - - - - - - - - - | - - - - - - - - - - - - - - - - - - -
ian wojtowicz | nation1 http://www.nation1.net
i_at_woj.com ICQ:7652147 | An new country for the info age, run
http://woj.com | by the people who know it best: kids
- - - - - - - - - - - - | - - - - - - - - - - - - - - - - - - -
Received on Mon Mar 23 1998 - 01:04:58 NZST