My users will only be checking mail, and I want to disable FTP access as well as shell access under CentOS Linux. How do I disable shell (SSH) and FTP access to a new or old user under Linux without deleting user account?
You can easily disable shell, ssh and FTP access to a user using following commands:
- chsh command : It used to change your login shell.
- /sbin/nologin: Displays a message that an account is not available and exits non-zero. It is intended as a replacement shell field for accounts that have been disabled.
Task: Disable Linux User Shell Account
Type the following command to disable shell access for tom:
# chsh -s /sbin/nologin {username}
# chsh -s /sbin/nologin tom
Sample Outputs:
Changing shell for tom Shell changed.
Where,
- -s /sbin/nologin: Politely refuse a login
- tom : The user name you wish to deny shell access to.
Task: Disable Linux FTP User Account
If you have VSFTPD ftp server or other FTP server add user to /etc/ftpusers or /etc/vsftpd/ftpusers (VSFTPD) file.
# echo tom >> /etc/ftpuser
OR
# echo tom >> /etc/vsftpd/ftpusers
Any user name added to /etc/ftpusers or /etc/vsftpd/ftpusers will prevent them from logging into FTP. However, this will still allow user to login via email (webmail or pop3 / IMAP) and download emails without shell access.
A Note About PAM and access.conf
Apart from above two method Linux supports pam and access.conf login tables.
Pam modules can be used to enable or disable access to certain services such as vsftpd, ssh, and so on. /etc/security/access.conf act as login access control table, which is useful to deny or login access based upon ip address, network location or tty name. When someone logs in, the file is scanned for the first entry that matches the (user, host) combination, or, in case of non-networked logins, the first entry that matches the (user, tty) combination. The permissions field of that table entry determines whether the login will be accepted or refused. See how to use pam modules to enable or disable login access. For e.g. deny access to tom, enter the following in /etc/security/access.conf
- : tom : ALL
Where,
- - : Deny access. a "+" character (plus) for access granted or a "-" character (minus) for access denied.
- tom: Username. It should be a list of one or more login names, group names, or ALL (which always matches).
- ALL : Deny access from all ip address.
Further readings:
- man pages access.conf, nologin, pam, chsh, vsftpd.conf
Featured Articles:
- 20 Linux System Monitoring Tools Every SysAdmin Should Know
- My 10 UNIX Command Line Mistakes
- 10 Greatest Open Source Software Of 2009
- Top 5 Email Client For Linux, Mac OS X, and Windows Users
- Top 20 OpenSSH Server Best Security Practices
- Top 10 Open Source Web-Based Project Management Software
- Top 5 Linux Video Editor Software
- Email FAQ to a friend
- Download PDF version
- Printable version
- Comment RSS feed
- Last Updated: 06/24/09
{ 8 comments… read them below or add one }
Why not use virtual users for email?
Hi,
Thanks for this information. Can anybody help me to get the ip address as Linux coding. I normally use the website ip details to get the ip address for windows. But i want to get the ip address for teh linux platform can anybody help me for the coding
Anurdh,
Can you elaborate your question pls?
Anurdh65,
To get the ip address of a linux box, type the following from the command prompt (bash shell):
ifconfig
Sometimes you can also get ip information using the following hack:
host `hostname`
To get the ip address of a windows box, type the following form the command promt (dos shell):
ipconfig
To get the just the IP Address under linux, try the following command:
ifconfig eth1 | grep 'inet'This will return both the IPv4 and IPv6 Addresses. If you only want the IPv4 Address, try the following:
ifconfig eth1 | grep 'Bcast'Change to the appropriate interface if it isn’t eth1.
Tim
kboodu
Setting shell to nologin do not prevent the user to forward ports with SSH.
alternative, you can edit /etc/passwd.
Ex.
Before :
ftpusers:x:1000:1000:cyber,,,:/home/ftpusers:/bin/bash
After :
ftpusersr:x:1000:1000:cyber,,,:/home/ftpusers:/usr/sbin/nologin
You can disable the account by locking it with:
passwd -l {username}
What it does is place a ‘!’ in front of the encrypted password in /etc/shadow.