BVLog Bryan Voss’ mental synchronization point

10Jun/100

FTP only shell for ProFTPd

I recently set up ProFTPd on an externally-accessible Ubuntu Linux server to allow remote users to download software updates. In order to lock the user account down somewhat, I set the account's shell to /bin/false in /etc/passwd . I thought that would allow FTP access without allowing the account to login via ssh. Unfortunately, that did not work. The account was denied access because ProFTPd was checking to make sure the shell exists in /etc/shells .

I did a little googling and found a solution on the somewhat-horrendous-but-ubiquitous Experts Exchange site. With a little tweaking, it works great.

  1. Create a file: /bin/ftponly
    #!/bin/bash
    echo "This account is only allowed FTP access."

  2. Add /bin/ftponly to /etc/shells file
  3. Change shell for user account either by using chsh or editing /etc/passwd directly

Once this is done, ProFTPd considers ftponly a valid shell and allows FTP access. As a side bonus, attempting to login via ssh or other means displays a useful message rather than just dropping the connection.

Now, on to finding a solution for the continuous brute force login attempts that are filling up the ProFTPd logfiles...

Comments (0) Trackbacks (0)

No comments yet.


Leave a comment

No trackbacks yet.