From owner-freebsd-isp@FreeBSD.ORG Wed Aug 20 11:18:22 2003 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EB7AD16A4BF for ; Wed, 20 Aug 2003 11:18:22 -0700 (PDT) Received: from psknet.com (kennedy.psknet.com [63.171.251.9]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4858243FB1 for ; Wed, 20 Aug 2003 11:18:22 -0700 (PDT) (envelope-from troy@psknet.com) Received: from dilbert.psknet.com ([63.171.251.35] helo=dilbert) by psknet.com with esmtp (Exim 4.20) id 19pXXJ-0004HL-8j; Wed, 20 Aug 2003 14:18:21 -0400 From: "Troy Settle" To: "'Blake Swensen'" Date: Wed, 20 Aug 2003 14:18:21 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.5329 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Thread-Index: AcNnRifSgGx7YknOTXGkMuXn3mQX+AAAIQnA In-Reply-To: <8010538263.20030820200924@blue.calx.nl> Message-Id: cc: 'FreeBSD ISP List' Subject: RE: Best methods for preventing SSH allowing FTP X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Aug 2003 18:18:23 -0000 Once upon a time, I used /usr/bin/passwd as the shell (users could telnet/ftp in to change their passwords). I then started using /usr/bin/false. I now use /sbin/nologin. On my primary mail and ftp machines, I no longer use the system passwd facility to manage user accounts, it's all in a MySQL database, which my billing software manages directly using ODBC. -- Troy Settle Pulaski Networks http://www.psknet.com 540.994.4254 ~ 866.477.5638 Pulaski Chamber 2002 Small Business Of The Year > -----Original Message----- > From: owner-freebsd-isp@freebsd.org > [mailto:owner-freebsd-isp@freebsd.org] On Behalf Of Walter Hop > Sent: Wednesday, August 20, 2003 2:09 PM > To: Blake Swensen > Cc: FreeBSD ISP List > Subject: Re: Best methods for preventing SSH allowing FTP > > [in reply to blake@pyramus.com, 20-8-2003] > > > Anyone have suggestions for the best methods for locking an > account so > > that a user or a group can only ftp/POP/IMAP and prevent all other > > access. > > We make use of two special shells to limit access and make it > more clear > what an account is used for. These are just shell scripts: > > /usr/local/bin/ftponly > /usr/local/bin/mailonly > > They just contain something like this: > > #!/bin/sh > echo "No SSH login allowed." > exit 1 > > For FTP accounts, we set the user's shell to /usr/local/bin/ftponly. > The FTP daemon by default checks if the shell is in > /etc/shells so we have > added the ftponly shellscript to /etc/shells. When people > would SSH in, > they'd get the "No SSH login allowed" message. > > For mail accounts, we set the user's shell to /usr/local/bin/mailonly. > We have not added this shell to /etc/shells, so FTP and SSH login are > disallowed while our mailserver (uw-imap and pop3) does not care about > this. The 'mailonly' shell is never executed, it is just there to make > administration easier. > > cheers, > walter > > _______________________________________________ > freebsd-isp@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-isp > To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org" >