Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 15 Aug 2001 10:23:08 +0700
From:      Roger Merritt <mcrogerm@stjohn.ac.th>
To:        freebsd-questions@FreeBSD.ORG
Subject:   Re: deny access
Message-ID:  <3.0.6.32.20010815102308.007c6c10@stjohn.stjohn.ac.th>
In-Reply-To: <Pine.BSF.4.21.0108140109560.24670-100000@ren.sasknow.com>
References:  <F206Dt3HvoFOAmEaJsw00006d50@hotmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
At 01:19 AM 8/14/01 -0600, you wrote:
>Lee Mark Mercado wrote to freebsd-questions@FreeBSD.ORG:
>
>> how could i deny login from FTP & TELNET - allowing only
>> POP3 access to certain accounts on my freeBSD box.
>> 
>> please help. thx
>
>Three basic strategies, in increasing order of strength:
>
>1) Enable some, but not all, accounts from logging in remotely.
>   Add users who should not be granted ftp access to /etc/ftpusers
>   Set users' shells to /sbin/nologin to prevent shell access
>2) Set up ipfw (man 8 ipfw) to limit network access to those services.
>   Perhaps you wish to only allow ftp and telnet to users on the
>   local network, or some trusted machines. Firewall configuration
>   is beyond the scope of this message, but not beyond the scope
>   of this mailing list. If you want to go this route, I/we can
>   help.
>3) Disable the services entirely. No one, not even a local user,
>   could then access the machine via telnet or ftp. This is perhaps
>   the easiest, and, if you do not require those services at all,
>   it is definitely the safest. Here's how:
>
>
>Edit /etc/inetd.conf and comment out the "telnet" and
>"ftp" services. Telnet is shown here.
>
>telnet	stream	tcp	nowait	root	/usr/libexec/telnetd	telnetd
>
>Comment out the line (insert #):
>
>#telnet	stream	tcp	nowait	root	/usr/libexec/telnetd	telnetd
>
>The proceduce is identical for ftpd.
>
>If you use IPv6, find and comment out the IPv6 telnetd and ftpd as well.
>
>With those two lines commented out, save the file, and restart the
>Internet daemon:
>
>	kill -1 `cat /var/run/inetd.pid`
>
>Note the quotation marks are actually "backticks"--backwards pointing
>single quotes, usually found on the same key cap as the tilde (~)
>character.
>
>Having done that, attempt to telnet or ftp to the local host. You should
>get a "connection refused" error, indicating that the service is disabled.
>
>Script started on Tue Aug 14 01:18:25 2001
>ryan@ren $ telnet localhost
>Trying 127.0.0.1...
>telnet: Unable to connect to remote host: Connection refused
>ryan@ren $ exit
>
>Script done on Tue Aug 14 01:18:29 2001
>
>Hope this helps!
>- Ryan
>
>-- 
>  Ryan Thompson <ryan@sasknow.com>
>  Network Administrator, Accounts
>

Ryan's advice is excellent. Another article with helpful suggestions is at:
<http://www.onlamp.com/lpt/a//bsd/2001/06/28/Big_Scary_Daemons.html>;
-- 
Roger
-- 
Roger


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3.0.6.32.20010815102308.007c6c10>