From owner-freebsd-questions Tue Aug 14 20:24:25 2001 Delivered-To: freebsd-questions@freebsd.org Received: from stjohn.stjohn.ac.th (stjohn.stjohn.ac.th [202.21.144.1]) by hub.freebsd.org (Postfix) with ESMTP id C4A4D37B405 for ; Tue, 14 Aug 2001 20:24:17 -0700 (PDT) (envelope-from mcrogerm@stjohn.ac.th) Received: from tulip ([203.151.134.104]) by stjohn.stjohn.ac.th (8.9.3+Sun/8.9.3) with SMTP id KAA02930 for ; Wed, 15 Aug 2001 10:16:41 +0700 (ICT) Message-Id: <3.0.6.32.20010815102308.007c6c10@stjohn.stjohn.ac.th> X-Sender: mcrogerm@stjohn.stjohn.ac.th X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.6 (32) Date: Wed, 15 Aug 2001 10:23:08 +0700 To: freebsd-questions@FreeBSD.ORG From: Roger Merritt Subject: Re: deny access In-Reply-To: References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG At 01:19 AM 8/14/01 -0600, you wrote: >Lee Mark Mercado wrote to freebsd-questions@FreeBSD.ORG: > >> how could i deny login from FTP & TELNET - allowing only >> POP3 access to certain accounts on my freeBSD box. >> >> please help. thx > >Three basic strategies, in increasing order of strength: > >1) Enable some, but not all, accounts from logging in remotely. > Add users who should not be granted ftp access to /etc/ftpusers > Set users' shells to /sbin/nologin to prevent shell access >2) Set up ipfw (man 8 ipfw) to limit network access to those services. > Perhaps you wish to only allow ftp and telnet to users on the > local network, or some trusted machines. Firewall configuration > is beyond the scope of this message, but not beyond the scope > of this mailing list. If you want to go this route, I/we can > help. >3) Disable the services entirely. No one, not even a local user, > could then access the machine via telnet or ftp. This is perhaps > the easiest, and, if you do not require those services at all, > it is definitely the safest. Here's how: > > >Edit /etc/inetd.conf and comment out the "telnet" and >"ftp" services. Telnet is shown here. > >telnet stream tcp nowait root /usr/libexec/telnetd telnetd > >Comment out the line (insert #): > >#telnet stream tcp nowait root /usr/libexec/telnetd telnetd > >The proceduce is identical for ftpd. > >If you use IPv6, find and comment out the IPv6 telnetd and ftpd as well. > >With those two lines commented out, save the file, and restart the >Internet daemon: > > kill -1 `cat /var/run/inetd.pid` > >Note the quotation marks are actually "backticks"--backwards pointing >single quotes, usually found on the same key cap as the tilde (~) >character. > >Having done that, attempt to telnet or ftp to the local host. You should >get a "connection refused" error, indicating that the service is disabled. > >Script started on Tue Aug 14 01:18:25 2001 >ryan@ren $ telnet localhost >Trying 127.0.0.1... >telnet: Unable to connect to remote host: Connection refused >ryan@ren $ exit > >Script done on Tue Aug 14 01:18:29 2001 > >Hope this helps! >- Ryan > >-- > Ryan Thompson > Network Administrator, Accounts > Ryan's advice is excellent. Another article with helpful suggestions is at: -- Roger -- Roger To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message