Return to BSD News archive
Xref: sserve comp.unix.admin:21236 comp.os.386bsd.questions:11861 Path: sserve!newshost.anu.edu.au!harbinger.cc.monash.edu.au!msuinfo!agate!howland.reston.ans.net!europa.eng.gtefsd.com!news.umbc.edu!eff!news.kei.com!babbage.ece.uc.edu!montjoy From: montjoy@thor.ece.uc.edu (Robert Montjoy) Newsgroups: comp.unix.admin,comp.os.386bsd.questions Subject: Re: telnet security Date: 28 Jul 1994 23:05:29 GMT Organization: University of Cincinnati, ECE Dept Lines: 49 Message-ID: <319djp$4nm@babbage.ece.uc.edu> References: <30kcmo$j0o@panix2.panix.com> <318dnd$b2j$1@garnet.msen.com> NNTP-Posting-Host: thor.ece.uc.edu In article <318dnd$b2j$1@garnet.msen.com>, Mike Pelletier <mpelletier@ofgw.ntt.com> wrote: >In article <30kcmo$j0o@panix2.panix.com>, richard <rpritz@panix.com> wrote: >>what do i do to make an account not accessible from telnet or ftp? i >>assume it's one of the /etc files. i'm using freebsd > >Of course, the first thing you can do is remove their password by putting >an "x" or a "*" in the password field in /etc/passwd. If you want to >save their passwords, though, like for restricting access during certain >hours, there's a few things you can do short of buying UNICENTER. > >Assuming that FreeBSD is like other BSD systems I've worked with, you can >disable *all* access to the system for all accounts if you >edit the /etc/inetd.conf and comment out the lines for "telnet" and "ftp". >Once you "kill -HUP" the inetd process, when people try to telnet or ftp >to your system, they'll get "Connection refused." Of course, this means >that you can't telnet to it either. > >However, there's a way around that too -- if you change the /etc/services >telnet line to a different port number that only you know, and telnet to >that port when you want to log in. > >If you don't want to be that draconian, you can restrict user's access to >FTP using the file /etc/ftpusers -- if a user is listed in that file, >he or she won't be able to log in via FTP. I've got a system like this, >and I just wrote a cron script to create /etc/ftpusers based on a file >of permitted users in /etc/ftpusers.allow. I don't think there's anything >analogous for telnet, however. > >One thing you can do to prevent their login via telnet, though, is to >set their shell to /bin/false. If you want to keep their shell info, >though, you can modify their .profile and put a "kill -HUP $$" as the >first line. > >Lots of fun things you can do. > >Good luck! > > -Mike. These all good ideas but do not forget about rsh and rlogin -- Rob Montjoy - Computer Engineer/Systems Administrator University of Cincinnati - Electrical and Computer Engineering E-Mail: Rob.Montjoy@UC.EDU - Personal or Other E-Mail -- To Save the Earth. The Humans must die.