HPE Community
Operating System - HP-UX
1833742 Members
2452 Online
110063 Solutions
New Discussion

Restrict FTP

 
Aggy
Frequent Advisor

‎04-15-2007 10:51 PM

‎04-15-2007 10:51 PM

Restrict FTP

We want to restrict FTP Users.
OS - 11.23
I am aware that user logins needs to be added to the /etc/ftpd/ftpusers but as we have nearly 2000 users it becomes difficult to manage this file because only few users need ftp access.

Is there a way you can reverse it
i.e a file like ftpusers where you just add the user logins you want to give access to FTP.



0 Kudos
Reply
6 REPLIES 6
lawrenzo
Trusted Contributor

‎04-15-2007 11:42 PM

‎04-15-2007 11:42 PM

Re: Restrict FTP

Hi,

what I would do is create a file with the user names that I want to have ftp access ie /etc/ftp.allow.

then run a small script that creates a list of users from the systems user list and output the data into /etc/ftpusers thus creating the list of users that do not have access:

cat passwd | cut -d':' -f1 | egrep -v -f /etc/ftp.allow | sort >
/etc/ftpusers

run this everytime a new user is created
hello
0 Kudos
Reply
Rasheed Tamton
Honored Contributor

‎04-15-2007 11:57 PM

‎04-15-2007 11:57 PM

Re: Restrict FTP

If you want to exclude /etc/ftpd/ftpusers - then restrict and give access using /var/adm/inetd.sec as below:

ftp allow 172.....

or

---------
Try wu_ftpd
---------

or

awk -F: '{print $1}' /etc/passwd > outputfle
vi outputfile and redirect to /etc/ftpd/ftpusers


You are done.
0 Kudos
Reply
Wouter Jagers
Honored Contributor

‎04-16-2007 12:23 AM

‎04-16-2007 12:23 AM

Re: Restrict FTP

Another possible 'workaround':

When a user tries to open an ftp session, his/her shell (defined in passwd) is checked against /etc/shells (which holds a list of 'legal' shells). Users whose shell is not in this list will not be able to start an ftp session.

Some years ago I learned about this 'the hard way': I couldn't FTP to one of our machines while all my colleagues could. Turned out my dear ksh was not in the shells file.

If your situation allows it, you could perhaps use this as a workaround.. although I'm unsure about how 'clean' a solution I would call this myself ;-)

Cheers,
Wout
an engineer's aim in a discussion is not to persuade, but to clarify.
0 Kudos
Reply
Court Campbell
Honored Contributor

‎04-16-2007 12:39 AM

‎04-16-2007 12:39 AM

Re: Restrict FTP

you could install proftpd. It can be downloaded from software.hp.com. It has a lot more options for this sort of thing. You might look into the AllowGroup directive:

http://www.proftpd.org/docs/directives/configuration_full.html#ALLOWGROUP

You could setup an ftp group and allow access to that group. Just a suggestion.
"The difference between me and you? I will read the man page." and "Respect the hat." and "You could just do a search on ITRC, you don't need to start a thread on a topic that's been answered 100 times already." Oh, and "What. no points???"
0 Kudos
Reply
Aggy
Frequent Advisor

‎04-16-2007 12:51 AM

‎04-16-2007 12:51 AM

Re: Restrict FTP

I am note sure but I think I can use /etc/ftpd/ftphosts
Just add the users I need to give ftp access and deny all in last line
example as below
allow test1 * (or Hostname)
allow test2 *
allow ftp1 *
deny * *
0 Kudos
Reply
Wouter Jagers
Honored Contributor

‎04-16-2007 01:59 AM

‎04-16-2007 01:59 AM

Re: Restrict FTP

Well spotted !

Just checked the man pages and it looks you're right.

Points to yourself ;-)

Cheers
an engineer's aim in a discussion is not to persuade, but to clarify.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.