LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 12-04-2006, 03:11 AM   #1
FireRaven
Member
 
Registered: Apr 2006
Location: Australia
Distribution: Debian Squeeze
Posts: 135

Rep: Reputation: 18
is creating users for vsftpd secure?


hi.

i want to make users for accessing a dedicated folder for themselves via ftp.
i think i've configured vsftpd correctly for that...

problem is when i create an account for vsftpd:
useradd NewName
passwd NewName


that user can login with ftp and only access his/her home dir from ftp, but they are able to login via SSH still and browse other folders which is BAD

also their home dir has files like .bash_logout and .bash_profile in their by default which i don't know is safe or even needed.

should i be worried?
 
Old 12-04-2006, 10:28 AM   #2
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 76
It's been a while since I used built-in FTP, but couldn't you just set their shell to /bin/false and make sure /bin/false is in /etc/shells? I think they'll still be able to login via FTP, but not get a shell.
 
Old 12-04-2006, 11:33 AM   #3
msound
Member
 
Registered: Jun 2003
Location: SoCal
Distribution: CentOS
Posts: 465

Rep: Reputation: 30
It's definitely a good idea to use a separate login for FTP access. FTP is an unencrypted protocol so you definitely don't want to use an account that also have email/ssh/sudo access etc. What you need to do is just like chort said, in the user manager (whatever that may be on your distribution) set the login shell to /bin/false or /sbin/nologin (again depending on your distribution). To limit SSH access modify your sshd_config file to include the "AllowUsers" parameter:
http://www.freebsd.org/doc/en_US.ISO...k/openssh.html
 
Old 12-04-2006, 11:42 AM   #4
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora
Posts: 3,935
Blog Entries: 5

Rep: Reputation: Disabled
I'd add to the already good points / suggestions that you should not use this service to deliver any sensitive files.

Even after you've set up the users with a nologin "shell" and taken other precautions with sshd, keep in mind that authentication information gets sent clear text for anyone to grab.

If these are sensitive files, you'll want to look into either a) requiring SSL encryption for both authentication and data transfer (FTPS); or b) using something like scponly instead.

On top of all that, you can restrict access to vsftpd using either iptables or tcp_wrappers. (Not a standalone solution but it makes you harder to attack.)
 
Old 12-05-2006, 05:28 AM   #5
FireRaven
Member
 
Registered: Apr 2006
Location: Australia
Distribution: Debian Squeeze
Posts: 135

Original Poster
Rep: Reputation: 18
thanks guys!
the AllowUsers line in the sshd_config file looks like it is doing the job!

now i can have a set of users for ftp and a different set for ssh
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
VSFTPD with secure & non-secure logins Ricci Graham Linux - Software 6 02-24-2020 11:49 PM
creating users with vsftpd myk3 Linux - Newbie 1 11-19-2003 07:54 AM
vsftpd, and premoicuous. Is it secure? jsbush Linux - Security 2 11-04-2003 12:16 PM
vsftpd very very secure, so secure i can't use it... baronsam Linux - Networking 4 10-06-2003 06:12 PM
Vsftpd Folder ownerships - Is this secure? Korff Linux - Security 2 06-06-2003 01:05 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 11:00 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration