From owner-freebsd-questions Tue Aug 14 0:19:48 2001 Delivered-To: freebsd-questions@freebsd.org Received: from ren.sasknow.com (ren.sasknow.com [207.195.92.131]) by hub.freebsd.org (Postfix) with ESMTP id 33A5437B40B for ; Tue, 14 Aug 2001 00:19:43 -0700 (PDT) (envelope-from ryan@sasknow.com) Received: from localhost (ryan@localhost) by ren.sasknow.com (8.9.3/8.9.3) with ESMTP id BAA26125; Tue, 14 Aug 2001 01:19:39 -0600 (CST) (envelope-from ryan@sasknow.com) Date: Tue, 14 Aug 2001 01:19:39 -0600 (CST) From: Ryan Thompson To: Lee Mark Mercado Cc: freebsd-questions@FreeBSD.ORG Subject: Re: deny access In-Reply-To: Message-ID: Organization: SaskNow Technologies [www.sasknow.com] MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Lee Mark Mercado wrote to freebsd-questions@FreeBSD.ORG: > how could i deny login from FTP & TELNET - allowing only > POP3 access to certain accounts on my freeBSD box. > > please help. thx Three basic strategies, in increasing order of strength: 1) Enable some, but not all, accounts from logging in remotely. Add users who should not be granted ftp access to /etc/ftpusers Set users' shells to /sbin/nologin to prevent shell access 2) Set up ipfw (man 8 ipfw) to limit network access to those services. Perhaps you wish to only allow ftp and telnet to users on the local network, or some trusted machines. Firewall configuration is beyond the scope of this message, but not beyond the scope of this mailing list. If you want to go this route, I/we can help. 3) Disable the services entirely. No one, not even a local user, could then access the machine via telnet or ftp. This is perhaps the easiest, and, if you do not require those services at all, it is definitely the safest. Here's how: Edit /etc/inetd.conf and comment out the "telnet" and "ftp" services. Telnet is shown here. telnet stream tcp nowait root /usr/libexec/telnetd telnetd Comment out the line (insert #): #telnet stream tcp nowait root /usr/libexec/telnetd telnetd The proceduce is identical for ftpd. If you use IPv6, find and comment out the IPv6 telnetd and ftpd as well. With those two lines commented out, save the file, and restart the Internet daemon: kill -1 `cat /var/run/inetd.pid` Note the quotation marks are actually "backticks"--backwards pointing single quotes, usually found on the same key cap as the tilde (~) character. Having done that, attempt to telnet or ftp to the local host. You should get a "connection refused" error, indicating that the service is disabled. Script started on Tue Aug 14 01:18:25 2001 ryan@ren $ telnet localhost Trying 127.0.0.1... telnet: Unable to connect to remote host: Connection refused ryan@ren $ exit Script done on Tue Aug 14 01:18:29 2001 Hope this helps! - Ryan -- Ryan Thompson Network Administrator, Accounts SaskNow Technologies - http://www.sasknow.com #106-380 3120 8th St E - Saskatoon, SK - S7H 0W2 Tel: 306-664-3600 Fax: 306-664-1161 Saskatoon Toll-Free: 877-727-5669 (877-SASKNOW) North America To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message