Welcome to the most active Linux Forum on the web.
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 12-04-2006, 03:11 AM   #1
Registered: Apr 2006
Location: Australia
Distribution: Debian Squeeze
Posts: 135

Rep: Reputation: 18
is creating users for vsftpd secure?


i want to make users for accessing a dedicated folder for themselves via ftp.
i think i've configured vsftpd correctly for that...

problem is when i create an account for vsftpd:
useradd NewName
passwd NewName

that user can login with ftp and only access his/her home dir from ftp, but they are able to login via SSH still and browse other folders which is BAD

also their home dir has files like .bash_logout and .bash_profile in their by default which i don't know is safe or even needed.

should i be worried?
Old 12-04-2006, 10:28 AM   #2
Senior Member
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 76
It's been a while since I used built-in FTP, but couldn't you just set their shell to /bin/false and make sure /bin/false is in /etc/shells? I think they'll still be able to login via FTP, but not get a shell.
Old 12-04-2006, 11:33 AM   #3
Registered: Jun 2003
Location: SoCal
Distribution: CentOS
Posts: 465

Rep: Reputation: 30
It's definitely a good idea to use a separate login for FTP access. FTP is an unencrypted protocol so you definitely don't want to use an account that also have email/ssh/sudo access etc. What you need to do is just like chort said, in the user manager (whatever that may be on your distribution) set the login shell to /bin/false or /sbin/nologin (again depending on your distribution). To limit SSH access modify your sshd_config file to include the "AllowUsers" parameter:
Old 12-04-2006, 11:42 AM   #4
Senior Member
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora
Posts: 3,935
Blog Entries: 5

Rep: Reputation: Disabled
I'd add to the already good points / suggestions that you should not use this service to deliver any sensitive files.

Even after you've set up the users with a nologin "shell" and taken other precautions with sshd, keep in mind that authentication information gets sent clear text for anyone to grab.

If these are sensitive files, you'll want to look into either a) requiring SSL encryption for both authentication and data transfer (FTPS); or b) using something like scponly instead.

On top of all that, you can restrict access to vsftpd using either iptables or tcp_wrappers. (Not a standalone solution but it makes you harder to attack.)
Old 12-05-2006, 05:28 AM   #5
Registered: Apr 2006
Location: Australia
Distribution: Debian Squeeze
Posts: 135

Original Poster
Rep: Reputation: 18
thanks guys!
the AllowUsers line in the sshd_config file looks like it is doing the job!

now i can have a set of users for ftp and a different set for ssh


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
VSFTPD with secure & non-secure logins Ricci Graham Linux - Software 6 02-24-2020 11:49 PM
creating users with vsftpd myk3 Linux - Newbie 1 11-19-2003 07:54 AM
vsftpd, and premoicuous. Is it secure? jsbush Linux - Security 2 11-04-2003 12:16 PM
vsftpd very very secure, so secure i can't use it... baronsam Linux - Networking 4 10-06-2003 06:12 PM
Vsftpd Folder ownerships - Is this secure? Korff Linux - Security 2 06-06-2003 01:05 PM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 11:00 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration