HPE Community
Operating System - Linux
1758417 Members
2947 Online
108869 Solutions
New Discussion юеВ

Access control on sftp

 
SOLVED
Go to solution
M. Tariq Ayub
Regular Advisor

тАО06-15-2005 11:03 AM

тАО06-15-2005 11:03 AM

Access control on sftp

Hi,

I want to put IP and user restriction for SFTP and FTP server. OS if Fedora core 2.
0 Kudos
Reply
8 REPLIES 8
Stuart Browne
Honored Contributor

тАО06-15-2005 11:17 AM

тАО06-15-2005 11:17 AM

Re: Access control on sftp

For 'vsftpd', it's fairly easy to restrict which IP's can connect.

You can either firewall port 21 out, or use the '/etc/hosts.allow' / '/etc/hosts.deny' tcp wrappers.

'sftp' however is a different beast all together. As it's basically just an FTP interface to 'ssh', restricting IP addresses would also restrict them in using 'ssh'. If that's ok, then it's the same. Firewall port 22 out, or add tcpwrapper entries.

i.e.
/etc/hosts.deny:

vsftpd: ALL

/etc/hosts.allow:

vsftpd: ,

see 'man hosts_access' for more details on how TCP wrappers work.
One long-haired git at your service...
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

тАО06-15-2005 04:09 PM

тАО06-15-2005 04:09 PM

Solution

Re: Access control on sftp

You might be better off creating a menu system triggered by .bash_profile that keeps the users off the command prompt and connects them to various applications sftp/ftp in that manner.

The problem there is even if you trap the ctrl-c or ctrl-break keystroke there may ways for your users to break out.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Reply
Stuart Browne
Honored Contributor

тАО06-15-2005 04:40 PM

тАО06-15-2005 04:40 PM

Re: Access control on sftp

Wow, we read that and got completely opposite meanings!

So I guess clarification is in order.

Do you want to put restrictions on your usings FTPing out of your server?

or restrictions on users accessing your server?
One long-haired git at your service...
0 Kudos
Reply
Gopi Sekar
Honored Contributor

тАО06-15-2005 05:27 PM

тАО06-15-2005 05:27 PM

Re: Access control on sftp


can you please be more specific. as stuart mentioned it is not very clear about your objective.

*if you want to block ip access to your ftp server then you can do so by hosts access list(/etc/hosts.allow and /etc/hosts.deny) or by using iptables firewall. You can do the same to deny sftp access.

*if you want to deny access to particular user logins through ftp then you can do so by adding the login ids in /etc/vsftpd/ftpusers

I am not sure of sftp though.

Regards,
Gopi
Never Never Never Giveup
0 Kudos
Reply
M. Tariq Ayub
Regular Advisor

тАО06-15-2005 06:32 PM

тАО06-15-2005 06:32 PM

Re: Access control on sftp

I want to restrict users to access server. Not going out. Only incoming
0 Kudos
Reply
Stuart Browne
Honored Contributor

тАО06-15-2005 06:39 PM

тАО06-15-2005 06:39 PM

Re: Access control on sftp

Then what i've told you already is most of what you need.

As for restricting what users can FTP in, that's different.

I don't believe 'sftp' (via ssh) can do such restrictions, but 'vsftpd' most certainly can in the '/etc/vsftpd/vsftpd.conf'.
One long-haired git at your service...
0 Kudos
Reply
Gopi Sekar
Honored Contributor

тАО06-15-2005 06:45 PM

тАО06-15-2005 06:45 PM

Re: Access control on sftp


so what i have told you holds true. use /etc/hosts.allow and /etc/hosts.deny for access restriction based on ip address. or you can use iptables to block the port

and if you want to restrict users by login id, then you can do so by adding them in /etc/vsftpd/ftpusers

Hope this helps,
Gopi
Never Never Never Giveup
0 Kudos
Reply
Ivan Ferreira
Honored Contributor

тАО06-21-2005 10:42 AM

тАО06-21-2005 10:42 AM

Re: Access control on sftp

You can restrict the users conectig throug sftp using the AllowUsers AllowGroups options in sshd_config (i think), but this restrict also the use of ssh, scp, etc.

Also, you can modify the /etc/pam.d/sshd pam file and stack pam_listfile.so

auth required pam_listfile.so item=user sense=deny file=/etc/sftpusers
onerr=succeed

This should do the job.
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.