Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
By default the all users are allowed to login. If I add the line to my sshd_config file:
Code:
AllowUsers foo
Would foo be the only one able to login? Or would I need to put something like:
Code:
DenyUsers *
AllowUsers foo
There is a little bit of ambiguity on how these work with each other in the documentation I've read.
And now the ProFTPd question:
The problem to me simply seems to be similar to that of the sshd question; a lack of documentation/example of the AllowUser/DenyUser type commands. Especially something about if they can do something similar to a OpenSSHd configuration of AllowUsers where it accepts a host as well as a user name.
Now, after a short rambling...here is the exact issue.
I need to create a user account that can login from the internal network, but cannot be logged into from the outside world. What would be the proper method to do this given I'm running ProFTPd on Mandrake?
If mandrake uses PAM, I would suggest using the "Pluggable Authentication Module" to filter who and who cannot use services. PAM is a huge beast so take your time and do it right.
The more I look at it, the more I think that PAM was an excellent direction to send me in. It's something I knew of, and knew existed on our system, but I've never tinkered with it at all really (never really had a need). Just wanted to say thanks again.
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
Well, PAM is a two-edged sword. If you need the flexibility, then it's good. If you're not using the features, than you should disable it, because it can allow for vulnerabilities in lots of network daemons if PAM hasn't been updated with security patches, or if the daemons have bad handling of PAM authentication. There have been quite a few application vulnerabilities that only applied if PAM auth was enabled.
For anyone else who was curious... The biggest issue I had with the documentation is that I didn't see all of the documentation at once, and because at times, I can be thick skulled, I didn't put 2 and 2 together for a while.
The ProFTPd config addition needed for this is as follows:
Code:
<Limit LOGIN>
Order allow,deny
Allow from 192.168.
AllowGroup ftpusers
Deny from all
</Limit>
What this does:
Makes sure the allow-ables are allowed in before it checks who to turn away
Allows everyone from the local network to login
Allows all users that belong to the ftpusers group to login (for all accounts that need to be accessible from outside)
Denys everyone else
This seems to have achieved the desired effect without the PAM module I was planning on writing (chort's warning made me step back, and getting lazy really prevented it). But if anyone has any suggestions or sees any flaws, do enlighten me.
I've solved the SSH problem I had in a different manner, but I'm still probably going to toy with it to get this same sort of effect with OpenSSHd, and will post those findings as well unless someone beats me to it. I've answered some of my own questions, but I still haven't achieved the desired results. The things I have found out are using DenyUsers * with AllowUsers is pointless, as AllowUsers makes it so only the users in the list that can get in...so the DenyUsers only helps to booger things up. And the other thing is simply that AllowUsers using the USER@HOST method doesn't work exactly as I expect it to.
The sshd_config equivalant to the ftpd configuration is this:
Code:
AllowUsers *@192.168.* alloweduser1 alloweduser2
alloweduser1 and alloweduser2 are the user accounts that need to be allowed access from anywhere.
This will result in any account being able to be ssh'ed into from the local net, but restrict access from outside to only the users in the list (separated by spaces).
Special Note!:
It seems the reason I was having trouble before was due to an out of date version of OpenSSH! AllowUsers doesn't act the same with sshd_config,v 1.59! The config line above was tested with sshd_config,v 1.69 (OpenSSH 3.8 was the actual OpenSSH version tested with, the latest as of this posting, I believe).
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.