LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 07-28-2004, 05:46 PM   #1
Ankheg
Member
 
Registered: Jul 2004
Location: Woodland Hills, CA
Distribution: Debian/Mandrake
Posts: 37

Rep: Reputation: 15
Question 2 quick questions: ProFTPd and OpenSSHd


First the OpenSSHd question:

By default the all users are allowed to login. If I add the line to my sshd_config file:
Code:
AllowUsers foo
Would foo be the only one able to login? Or would I need to put something like:
Code:
DenyUsers *
AllowUsers foo
There is a little bit of ambiguity on how these work with each other in the documentation I've read.


And now the ProFTPd question:

The problem to me simply seems to be similar to that of the sshd question; a lack of documentation/example of the AllowUser/DenyUser type commands. Especially something about if they can do something similar to a OpenSSHd configuration of AllowUsers where it accepts a host as well as a user name.

Now, after a short rambling...here is the exact issue.

I need to create a user account that can login from the internal network, but cannot be logged into from the outside world. What would be the proper method to do this given I'm running ProFTPd on Mandrake?

Thanks in advance!
 
Old 07-28-2004, 07:02 PM   #2
jhumeston
Member
 
Registered: Mar 2004
Posts: 50

Rep: Reputation: 15
If mandrake uses PAM, I would suggest using the "Pluggable Authentication Module" to filter who and who cannot use services. PAM is a huge beast so take your time and do it right.
 
Old 07-28-2004, 07:12 PM   #3
Ankheg
Member
 
Registered: Jul 2004
Location: Woodland Hills, CA
Distribution: Debian/Mandrake
Posts: 37

Original Poster
Rep: Reputation: 15
Will definitely look into that. Thanks for the tip.

If anyone has answers to the previous though, that would still be welcomed... I'm still curious.
 
Old 07-28-2004, 09:24 PM   #4
Ankheg
Member
 
Registered: Jul 2004
Location: Woodland Hills, CA
Distribution: Debian/Mandrake
Posts: 37

Original Poster
Rep: Reputation: 15
The more I look at it, the more I think that PAM was an excellent direction to send me in. It's something I knew of, and knew existed on our system, but I've never tinkered with it at all really (never really had a need). Just wanted to say thanks again.
 
Old 07-29-2004, 03:52 AM   #5
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 76
Well, PAM is a two-edged sword. If you need the flexibility, then it's good. If you're not using the features, than you should disable it, because it can allow for vulnerabilities in lots of network daemons if PAM hasn't been updated with security patches, or if the daemons have bad handling of PAM authentication. There have been quite a few application vulnerabilities that only applied if PAM auth was enabled.
 
Old 07-29-2004, 07:46 PM   #6
Ankheg
Member
 
Registered: Jul 2004
Location: Woodland Hills, CA
Distribution: Debian/Mandrake
Posts: 37

Original Poster
Rep: Reputation: 15
For anyone else who was curious... The biggest issue I had with the documentation is that I didn't see all of the documentation at once, and because at times, I can be thick skulled, I didn't put 2 and 2 together for a while.

The ProFTPd config addition needed for this is as follows:

Code:
<Limit LOGIN>
  Order allow,deny
  Allow from 192.168.
  AllowGroup ftpusers
  Deny from all
</Limit>
What this does:
Makes sure the allow-ables are allowed in before it checks who to turn away
Allows everyone from the local network to login
Allows all users that belong to the ftpusers group to login (for all accounts that need to be accessible from outside)
Denys everyone else

This seems to have achieved the desired effect without the PAM module I was planning on writing (chort's warning made me step back, and getting lazy really prevented it). But if anyone has any suggestions or sees any flaws, do enlighten me.

I've solved the SSH problem I had in a different manner, but I'm still probably going to toy with it to get this same sort of effect with OpenSSHd, and will post those findings as well unless someone beats me to it. I've answered some of my own questions, but I still haven't achieved the desired results. The things I have found out are using DenyUsers * with AllowUsers is pointless, as AllowUsers makes it so only the users in the list that can get in...so the DenyUsers only helps to booger things up. And the other thing is simply that AllowUsers using the USER@HOST method doesn't work exactly as I expect it to.
 
Old 08-06-2004, 02:34 PM   #7
Ankheg
Member
 
Registered: Jul 2004
Location: Woodland Hills, CA
Distribution: Debian/Mandrake
Posts: 37

Original Poster
Rep: Reputation: 15
The sshd_config equivalant to the ftpd configuration is this:
Code:
AllowUsers *@192.168.* alloweduser1 alloweduser2
alloweduser1 and alloweduser2 are the user accounts that need to be allowed access from anywhere.

This will result in any account being able to be ssh'ed into from the local net, but restrict access from outside to only the users in the list (separated by spaces).

Special Note!:
It seems the reason I was having trouble before was due to an out of date version of OpenSSH! AllowUsers doesn't act the same with sshd_config,v 1.59! The config line above was tested with sshd_config,v 1.69 (OpenSSH 3.8 was the actual OpenSSH version tested with, the latest as of this posting, I believe).
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Quick Proftpd question... AudioMechanic Mandriva 2 05-08-2005 06:34 PM
quick help with proftpd lozza1978 Linux - Newbie 1 02-21-2005 01:28 PM
Proftpd Questions? berkay Linux - General 0 09-07-2004 02:30 PM
ProFTPd and naming Quick Question Kedelfor Linux - Software 1 08-19-2004 03:01 PM
ProFTPd Questions heho Linux - Software 1 01-30-2004 04:45 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 08:30 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration