Re: FTP yes, Telnet no

2000-05-18 Thread Ron Rademaker 
Use /etc/hosts.allow and /etc/hosts.deny, in hosts.deny you say ALL: ALL,
now you can't make a connection from anywhere except when you say so in
hosts.allow, so there you say proftpd: ALL and anything else you'll want
to open (eg. sendmail, nfs-server, apache etc.)
Another thing you can do is simply remove the telnet daemon (telnetd).

Ron Rademaker

On Thu, 18 May 2000, Mats Rynge wrote:

> Hi!
> 
> How can I limit some of my users to be able to use FTP but not be able
> to use Telnet. I thought this was possible by changing the shell to
> /bin/true, but I didn't work. I'm running potato and I'm using proftp as
> FTP server.
> 
> TIA
> 
> Mats
> 
> 
> -- 
> Unsubscribe?  mail -s unsubscribe [EMAIL PROTECTED] < /dev/null
>

RE: FTP yes, Telnet no

2000-05-18 Thread Peter Good 
Ahhh, exactly the same i ran into.

Make sure that in the file /etc/pam.d/login the line
account  required   pam_access.so
is uncommented.
Then edit your /etc/security/access.conf to suit
You can have either of users groups or hosts in this file i believe, i
found it easier for the users i wanted to limit, i just added them all
to a group, and stopped that group from login access for telnet with
this in /etc/security/access.conf

-:groupname:ALL

A simple way of stopping a certian group of users from telnet :)
Pete.
--
In the beginning, the universe was created. 
This made a lot of people very angry, and 
has been widely regarded as a bad idea.

***
*Peter GoodEmail: [EMAIL PROTECTED]
*Pete's Internet Services  Sales: [EMAIL PROTECTED] *
*http://www.petesinternet.net  Phone: 0401 283 482*
*Morayfield QLD Australia *
***

Re: FTP yes, Telnet no

2000-05-18 Thread Ethan Benson 
On Thu, May 18, 2000 at 10:45:43AM +, Mats Rynge wrote:
> Hi!
> 
> How can I limit some of my users to be able to use FTP but not be able
> to use Telnet. I thought this was possible by changing the shell to
> /bin/true, but I didn't work. I'm running potato and I'm using proftp as
> FTP server.

define `didn't work'  do you mean they were still able to telnet or
that they could no longer login to anything including ftp?

if it was the latter you need to run:

echo "/bin/true" >> /etc/shells

if it was the former that would be very strange indeed, and would
indicate something is quite broken if the shell feild of /etc/passwd
is being ignored...

however a more secure method to restrict users to ftp only IMO is with
pam:

in /etc/pam.d/login i have:

auth   required pam_listfile.so item=user sense=deny \
file=/etc/deny.shell onerr=succeed

in /etc/deny.shell is a list of usernames that are not permitted to
login interactivly, if they attempt to login with telnet or on the
console it will seem as though they are entering an incorrect
password.  you will need to add this line to any other pam service
that you wish to disallow for ftp only accounts.  you should however
combine this with setting the shell to /bin/true or nologin [1] in
case you happen to have something that does not use pam.

also don't use telnet, use ssh.  

[1] the nologin program i refer to comes from OpenBSD, it is very
simple, it prints This account is currently not available. and exits,
it will also read /etc/nologin.txt if it exists and print its contents
instead.  the OpenBSD source compiles fine on GNU/Linux.  Debian also
has a similar program packaged called falselogin but it is
significantly more complicated then the OpenBSD version.

-- 
Ethan Benson
http://www.alaska.net/~erbenson/


pgp0USs5ZlpPV.pgp
Description: PGP signature