FTP/SSH setup questions

Telexen · 09-29-2004, 05:38 AM

I'm running Slackware 10 and I want to run it on a box as a File/Web server. I've got Apache/PHP/MySQL and Samba setup, but I'm wondering how I can setup FTP and SSH servers which will automatically only take connections from users with accounts on the system (like in 'ftp' and 'sshd' groups) and possibly lock them into their home folder.

I've got the SSHd running, but not adding users to the sshd group doesn't seem to keep them out.

Thanks for any input.

carboncopy · 09-29-2004, 06:41 AM

Youcan enable ftp on Slackware 10 by uncommenting

ftp stream tcp nowait root /usr/sbin/tcpd proftpd

line in /etc/inetd.conf
and then cd /etc/rc.d
./rc.inetd stop
./rc.inetd start

Not sure of how you can keep them out of ssh and stuff like that. But you can use jailshell to lock them in their space.

wes103 · 09-30-2004, 07:34 AM

You want a per-user lockout? Meaning, that they cannot log into a shell on the box, but can still receive/send email, correct?

Edit /etc/passwd, go to the user's line, after the last colon (':') change the /bin/bash to /bin/false. It is possible there is no /bin/bash, in which case, just add the /bin/false. This will prevent them from shell access, not just via SSH, but also from the console, so do not do this to root, nor to the account you use for administration (ie. yours). I believe that the FTP server also honors this.

-Bill

Cerbere · 10-01-2004, 04:43 AM

From 'man sshd_config':

Code:

     AllowGroups
             This keyword can be followed by a list of group name patterns,
             separated by spaces.  If specified, login is allowed only for
             users whose primary group or supplementary group list matches one
             of the patterns.  `*' and `?' can be used as wildcards in the
             patterns.  Only group names are valid; a numerical group ID is
             not recognized.  By default, login is allowed for all groups.

     AllowUsers
             This keyword can be followed by a list of user name patterns,
             separated by spaces.  If specified, login is allowed only for
             user names that match one of the patterns.  `*' and `?' can be
             used as wildcards in the patterns.  Only user names are valid; a
             numerical user ID is not recognized.  By default, login is
             allowed for all users.  If the pattern takes the form USER@HOST
             then USER and HOST are separately checked, restricting logins to
             particular users from particular hosts.

     DenyGroups
             This keyword can be followed by a list of group name patterns,
             separated by spaces.  Login is disallowed for users whose primary
             group or supplementary group list matches one of the patterns.
             `*' and `?' can be used as wildcards in the patterns.  Only group
             names are valid; a numerical group ID is not recognized.  By
             default, login is allowed for all groups.

     DenyUsers
             This keyword can be followed by a list of user name patterns,
             separated by spaces.  Login is disallowed for user names that
             match one of the patterns.  `*' and `?' can be used as wildcards
             in the patterns.  Only user names are valid; a numerical user ID
             is not recognized.  By default, login is allowed for all users.
             If the pattern takes the form USER@HOST then USER and HOST are
             separately checked, restricting logins to particular users from
             particular hosts.

So just add one (or more) of the above directives to your /etc/ssh/sshd_config file to allow/deny the user(s)/group(s) you wish.

To lock them into their home directory, look at this project.

As for FTP, I'd recommend only using sftp, which is more secure and will be configured when you setup sshd.

Enjoy!
--- Cerbere

[edit] You may also want to browse through the Security forum of LQ for more info on locking down your box. [/edit]