topic Re: Restrict FTP in Operating System - HP-UX

Restrict FTP

Aggy — Mon, 16 Apr 2007 05:51:32 GMT

We want to restrict FTP Users.
OS - 11.23
I am aware that user logins needs to be added to the /etc/ftpd/ftpusers but as we have nearly 2000 users it becomes difficult to manage this file because only few users need ftp access.

Is there a way you can reverse it
i.e a file like ftpusers where you just add the user logins you want to give access to FTP.

Re: Restrict FTP

lawrenzo — Mon, 16 Apr 2007 06:42:48 GMT

Hi,

what I would do is create a file with the user names that I want to have ftp access ie /etc/ftp.allow.

then run a small script that creates a list of users from the systems user list and output the data into /etc/ftpusers thus creating the list of users that do not have access:

cat passwd | cut -d':' -f1 | egrep -v -f /etc/ftp.allow | sort >
/etc/ftpusers

run this everytime a new user is created

Re: Restrict FTP

Rasheed Tamton — Mon, 16 Apr 2007 06:57:42 GMT

If you want to exclude /etc/ftpd/ftpusers - then restrict and give access using /var/adm/inetd.sec as below:

ftp allow 172.....

or

---------
Try wu_ftpd
---------

or

awk -F: '{print $1}' /etc/passwd > outputfle
vi outputfile and redirect to /etc/ftpd/ftpusers

You are done.

Re: Restrict FTP

Wouter Jagers — Mon, 16 Apr 2007 07:23:50 GMT

Another possible 'workaround':

When a user tries to open an ftp session, his/her shell (defined in passwd) is checked against /etc/shells (which holds a list of 'legal' shells). Users whose shell is not in this list will not be able to start an ftp session.

Some years ago I learned about this 'the hard way': I couldn't FTP to one of our machines while all my colleagues could. Turned out my dear ksh was not in the shells file.

If your situation allows it, you could perhaps use this as a workaround.. although I'm unsure about how 'clean' a solution I would call this myself ;-)

Cheers,
Wout

Re: Restrict FTP

Court Campbell — Mon, 16 Apr 2007 07:39:03 GMT

you could install proftpd. It can be downloaded from software.hp.com. It has a lot more options for this sort of thing. You might look into the AllowGroup directive:

http://www.proftpd.org/docs/directives/configuration_full.html#ALLOWGROUP

You could setup an ftp group and allow access to that group. Just a suggestion.

Re: Restrict FTP

Aggy — Mon, 16 Apr 2007 07:51:56 GMT

I am note sure but I think I can use /etc/ftpd/ftphosts
Just add the users I need to give ftp access and deny all in last line
example as below
allow test1 * (or Hostname)
allow test2 *
allow ftp1 *
deny * *

Re: Restrict FTP

Wouter Jagers — Mon, 16 Apr 2007 08:59:10 GMT

Well spotted !

Just checked the man pages and it looks you're right.

Points to yourself ;-)

Cheers