LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices


Reply
  Search this Thread
Old 04-09-2003, 05:47 PM   #1
BxBoy
Member
 
Registered: Oct 2002
Location: New York City (nYc)
Distribution: Red Hat Enterprise 3
Posts: 93

Rep: Reputation: 15
Disable User Logons during Maintence, Possible?


Is it possible to prevent users from logging into the system during times when I need to do system maintainence? In effect, I don't want to lock myself out though.
 
Old 04-09-2003, 06:01 PM   #2
david_ross
Moderator
 
Registered: Mar 2003
Location: Scotland
Distribution: Slackware, RedHat, Debian
Posts: 12,047

Rep: Reputation: 79
3 solutions I know of:

Copy the /etc/passwd file then remove all users appart from yourself, root and system accounts. Once you are done just move the old file back again.

If you are working from the console you could disable the services that people connect to.

You could set up a rule in iptables or ipchains that only allows connections from your machine.
 
Old 04-09-2003, 06:03 PM   #3
BxBoy
Member
 
Registered: Oct 2002
Location: New York City (nYc)
Distribution: Red Hat Enterprise 3
Posts: 93

Original Poster
Rep: Reputation: 15
I log in remotely with ssh as the server is miles away. I guess the first option is the most plausible. The other two would most likely lock me out.

Last edited by BxBoy; 04-09-2003 at 06:05 PM.
 
Old 04-09-2003, 06:15 PM   #4
david_ross
Moderator
 
Registered: Mar 2003
Location: Scotland
Distribution: Slackware, RedHat, Debian
Posts: 12,047

Rep: Reputation: 79
I don't know how your other users login but you could always set ssh to listen on a second obscure port like 8080 or something then ssh to that port for maintainance and set a rule to block access to port 22 to stop users accessing the server.
 
Old 04-09-2003, 06:27 PM   #5
BxBoy
Member
 
Registered: Oct 2002
Location: New York City (nYc)
Distribution: Red Hat Enterprise 3
Posts: 93

Original Poster
Rep: Reputation: 15
They login via SSH as well, I disabled TELNET as it's insecure. This is also another likely option I can implement. Thanks.
 
Old 04-13-2003, 03:12 PM   #6
david_ross
Moderator
 
Registered: Mar 2003
Location: Scotland
Distribution: Slackware, RedHat, Debian
Posts: 12,047

Rep: Reputation: 79
I just found this by accident and remembered your question.

Look at man sshd
Code:
     /etc/nologin
             If this file exists, sshd refuses to let anyone except root log
             in.  The contents of the file are displayed to anyone trying to
             log in, and non-root connections are refused.  The file should be
             world-readable.
 
Old 04-13-2003, 04:20 PM   #7
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Note tho if you gonna use nologin, using sshd will be a problem. That is, unless you're gonna admit you'll be using the root account to log into directly... IMO the easy way is to have an extra check in the PAM sshd config, just add this line:
"auth required /lib/security/pam_listfile.so item=user sense=allow file =/etc/pam.sshd onerr=fail".
The /etc/pam.sshd file just contains the usernames of the ppl you want to be able to use sshd for logging in, one per line.
Btw, if you're gonna use a backup sshd on a different port, don't make it to be 8080, that's the alternative HTTP port, often used by proxies as well, and so scanned a lot for by skiddies and proxy hunters.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Mandriva Maintence RySk8er30 Mandriva 4 05-15-2005 04:08 PM
how can i get ip from icq ..if the user disable the see ip SlackwareMan Linux - Security 2 08-19-2004 05:45 AM
disable user login ust Linux - General 2 04-01-2004 12:06 PM
Hiding user logons gasurfman Mandriva 1 10-30-2003 10:42 PM
email me ftp user logons jonfa Linux - General 3 05-24-2002 05:17 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - General

All times are GMT -5. The time now is 04:56 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration