Loading ...Howto prevent non-root users from login into the system using nologin shell
How do you prevent non-root users from login into the system? How do you assign user ftp and mail access only? How do you make or set shell to nologin to politely refuse a login?
Fear not, it is easy to deny access to login shell 
. If the file /etc/nologin exists, login will allow access only to root. Other users will be shown the contents of this file and their logins will be refused. However if you need to give ftp or mail access add user shell /sbin/nologin.
Redhat (RHEL)/Fedora core/Cent OS specific example
For example allow user tom to use ftp and mail but no shell access. Use usermod command to setup new shell:
# usermod -s /sbin/nologin tom
You can also edit the /etc/passwd file and change the shell
From
/bin/bash
To
/sbin/nologin
Following program will not affected by this shell (/sbin/nologin):
- FTP clients
- mail clients
- sudo
- many setuid programs
Please note that it prevents access to the shell and logs the attempt. All of the following programs are prevented from accessing the user account:
- telnet/login
- gdm/kdm/xdm (graphical login)
- su
- ssh/scp/sftp etc
Debian / Ubuntu Linux specific example
Use /bin/false shell under Debian / Ubuntu Linux(do nothing, unsuccessfully login). To make shell nologin under Debian / Ubuntu for tom user, use :
$ sudo usermod -s /bin/false tom
OR
# sudo usermod -s /bin/false tom
Caution: Do not set root user shell to /sbin/nologin or /bin/false.
Want to stay up to date with the latest Linux tips, news and announcements? Subscribe to our free e-mail newsletter or RSS feed to get all updates.
You can Email this page to a friend.
You may also be interested in other helpful articles:
- Weird DNS problem
- How can I enable or setup log message in the iptables firewall?
- FreeBSD > Displaying System-Specific Messages at Login
- Linux # Permission permission making my pal crazy
- Ultimate Lighttpd webserver security
Discussion on This Article:
Leave a Reply
We encourage your comments, and suggestions. But please stay on topic, be polite, and avoid spam. Thank you very much for stopping by our site!
On a Debian system, the nologin file does not exist. Is this a file that I can create? If so, do I stick it in /etc? Do I have to link it to a file in /sbin? Also, what should be the contents of the file?
Thanks
Zach,
Good question.
Use /bin/false on Debian or Ubuntu Linux system. Both /sbin/nologin and /bin/false are binary file. Don’t softlink them with shell/perl script.
usermod -s /bin/false tom
Zach,
to deny non-root logins, simply ‘touch /etc/nologin’
Hello,
I have CentOS on dedicated server with Cpanel/WHM installed.
I want more people to have access to Cpanel, but to disable main ftp domain access because if they FTP with the cpanel user/pass they will be able to access the folder MAIL.
What I did so far: I chaged the Cpanel/username password by: ssh passwd , this way the FTP password remained as the old one. This was a solution, because people were not able to use FTP with the Cpanel password. However, in 24h the FTP password was automatically synchonized with the Cpanel password - it became the same as cpanel password.
1. How to disable main domain ftp access for Cpanel user?
2. Maybe there is a way to disable automatic ftp password synchronization?
Thanks in advance!!!
You can use ‘FTP Manager’ to disable or enable FTP user.
I was thinking about the main ftp account, that has access in the direcory that is one level up from public_html. There is no option in Cpanel to change this ftp account password.
i got one proble in sftp. how to blck sft service to a particular user