Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
| Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
12-04-2006, 03:11 AM
|
#1
|
|
Member
Registered: Apr 2006
Location: Australia
Distribution: Debian Squeeze
Posts: 135
Rep: 
|
is creating users for vsftpd secure?
hi.
i want to make users for accessing a dedicated folder for themselves via ftp.
i think i've configured vsftpd correctly for that...
problem is when i create an account for vsftpd:
useradd NewName
passwd NewName
that user can login with ftp and only access his/her home dir from ftp, but they are able to login via SSH still and browse other folders which is BAD 
also their home dir has files like .bash_logout and .bash_profile in their by default which i don't know is safe or even needed.
should i be worried? |
|
|
|
|
12-04-2006, 10:28 AM
|
#2
|
|
Senior Member
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
|
It's been a while since I used built-in FTP, but couldn't you just set their shell to /bin/false and make sure /bin/false is in /etc/shells? I think they'll still be able to login via FTP, but not get a shell.
|
|
|
|
|
12-04-2006, 11:33 AM
|
#3
|
|
Member
Registered: Jun 2003
Location: SoCal
Distribution: CentOS
Posts: 465
Rep:
|
It's definitely a good idea to use a separate login for FTP access. FTP is an unencrypted protocol so you definitely don't want to use an account that also have email/ssh/sudo access etc. What you need to do is just like chort said, in the user manager (whatever that may be on your distribution) set the login shell to /bin/false or /sbin/nologin (again depending on your distribution). To limit SSH access modify your sshd_config file to include the "AllowUsers" parameter:
http://www.freebsd.org/doc/en_US.ISO...k/openssh.html |
|
|
|
|
12-04-2006, 11:42 AM
|
#4
|
|
Senior Member
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora
Posts: 3,935
Rep: 
|
I'd add to the already good points / suggestions that you should not use this service to deliver any sensitive files.
Even after you've set up the users with a nologin "shell" and taken other precautions with sshd, keep in mind that authentication information gets sent clear text for anyone to grab.
If these are sensitive files, you'll want to look into either a) requiring SSL encryption for both authentication and data transfer (FTPS); or b) using something like scponly instead.
On top of all that, you can restrict access to vsftpd using either iptables or tcp_wrappers. (Not a standalone solution but it makes you harder to attack.)
|
|
|
|
|
12-05-2006, 05:28 AM
|
#5
|
|
Member
Registered: Apr 2006
Location: Australia
Distribution: Debian Squeeze
Posts: 135
Original Poster
Rep:
|
thanks guys!
the AllowUsers line in the sshd_config file looks like it is doing the job!
now i can have a set of users for ftp and a different set for ssh  |
|
|
|
All times are GMT -5. The time now is 09:35 PM.
|
|
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
|
 Latest Threads
LQ News
|
|
