Return to BSD News archive
Xref: sserve comp.unix.admin:21302 comp.os.386bsd.questions:11945 Path: sserve!newshost.anu.edu.au!harbinger.cc.monash.edu.au!bunyip.cc.uq.oz.au!munnari.oz.au!constellation!osuunx.ucc.okstate.edu!newsfeed.ksu.ksu.edu!moe.ksu.ksu.edu!vixen.cso.uiuc.edu!howland.reston.ans.net!spool.mu.edu!nigel.msen.com!heifetz.msen.com!garnet.msen.com!not-for-mail From: Mike Pelletier <mpelletier@ofgw.ntt.com> Newsgroups: comp.unix.admin,comp.os.386bsd.questions Subject: Re: telnet security Date: 28 Jul 1994 10:01:17 -0400 Organization: National TechTeam, Inc., Dearborn, Michigan, USA Lines: 37 Sender: ntt@garnet.msen.com Message-ID: <318dnd$b2j$1@garnet.msen.com> References: <30kcmo$j0o@panix2.panix.com> NNTP-Posting-Host: garnet.msen.com In article <30kcmo$j0o@panix2.panix.com>, richard <rpritz@panix.com> wrote: >what do i do to make an account not accessible from telnet or ftp? i >assume it's one of the /etc files. i'm using freebsd Of course, the first thing you can do is remove their password by putting an "x" or a "*" in the password field in /etc/passwd. If you want to save their passwords, though, like for restricting access during certain hours, there's a few things you can do short of buying UNICENTER. Assuming that FreeBSD is like other BSD systems I've worked with, you can disable *all* access to the system for all accounts if you edit the /etc/inetd.conf and comment out the lines for "telnet" and "ftp". Once you "kill -HUP" the inetd process, when people try to telnet or ftp to your system, they'll get "Connection refused." Of course, this means that you can't telnet to it either. However, there's a way around that too -- if you change the /etc/services telnet line to a different port number that only you know, and telnet to that port when you want to log in. If you don't want to be that draconian, you can restrict user's access to FTP using the file /etc/ftpusers -- if a user is listed in that file, he or she won't be able to log in via FTP. I've got a system like this, and I just wrote a cron script to create /etc/ftpusers based on a file of permitted users in /etc/ftpusers.allow. I don't think there's anything analogous for telnet, however. One thing you can do to prevent their login via telnet, though, is to set their shell to /bin/false. If you want to keep their shell info, though, you can modify their .profile and put a "kill -HUP $$" as the first line. Lots of fun things you can do. Good luck! -Mike.