From owner-freebsd-isp  Thu Aug 21 08:49:37 1997
Return-Path: <owner-freebsd-isp>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.5/8.8.5) id IAA28990
          for isp-outgoing; Thu, 21 Aug 1997 08:49:37 -0700 (PDT)
Received: from connet80.com (connet80.connet80.com [199.2.214.253])
          by hub.freebsd.org (8.8.5/8.8.5) with SMTP id IAA28983
          for <freebsd-isp@FreeBSD.ORG>; Thu, 21 Aug 1997 08:49:32 -0700 (PDT)
Received: (from meljr@localhost) by connet80.com (8.6.11/8.6.9) id IAA01416; Thu, 21 Aug 1997 08:49:14 -0700
Date: Thu, 21 Aug 1997 08:49:14 -0700 (PDT)
From: "Mel Lester Jr." <meljr@connet80.com>
To: John Brown <jbrown@vafibre.com>
cc: freebsd-isp@FreeBSD.ORG
Subject: Re: Remote Administration
In-Reply-To: <199708211451.000005B1@intra.vafibre.com>
Message-ID: <Pine.BSF.3.91.970821083930.1271B-100000@connet80.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-isp@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

On Thu, 21 Aug 1997, John Brown wrote:

>  I am setting up an ISP server running FreeBSD and would like to deny all
> shell access to my server but keep myself a way to get into the server for
> remote administration. Any ideas on the best way to accomplish this?

A combination of two strategies come to mind.  The easiest is to set any
entry in the /etc/passwd file that you want restricted to not have a
working shell.  For example, instead of /usr/bin/bash or some other shell,
use /usr/bin/true to essentially eliminate shell access for these
accounts.  The users can still send and receive e-mail, use FTP to
maintain web pages, but can't login over dial-up or telnet. 

For further security, TCP wrappers are easy to use. See the August 1997 
issue of the Linux Journal (FreeBSD needs a similar publication IMHO) for 
a nice cookbook example of how to further restrict access to "trusted" hosts.

-mel