How to disable ftp for everyone, but then enable only for select users?

9 posts / 0 new
Last post
#1 Thu, 10/11/2018 - 06:06
amityweb

How to disable ftp for everyone, but then enable only for select users?

It seems by default when creating virtual servers FTP is enabled. There is no option to disable that in the settings like you can for SSL, Apache, MySQL etc. So ALL my users accounts have FTP.

Due to FTP being unsecure, we just close the port in the firewall, so only approved IP addresses can access FTP (and SFTP, SSH for that matter). Not many of our customers need FTP or SFTP access so its OK. Most of my servers we dont even run the FTP server because we use SFTP.

BUT very occasionally, like now, I have a customer who needs FTP, and not SFTP. And they are on a dynamic IP. So I dont want to open the port server wide.

It would be ideal if I could just block ALL FTP access for everyone, and then just enable it for the few accounts who need it. I will let them know is not secure, and so a disclaimer about it. But at least I am not opening up all my other accounts for potential hacking due to people having the FTP username and password somehow.

So is this possible, to disable FTP for all users, then re-enable for a select few only? It would be good if Virtualmin has that option in the Edit Virtual Server page.

Thanks!

Thu, 10/11/2018 - 14:40
jimdunn

If you edit your default shell (found in /etc/passwd) I have found the following options available:

# Setting a users shell to /bin/false will disallow them from using FTP

usermod -s /dev/null username        # allows webmin control panel access only
usermod -s /bin/false username       # allows ftp only, no SSH
usermod -s /usr/bin/scponly username # allows SCP/SFTP only
usermod -s /bin/bash username        # allows control panel, ftp, scp/sftp, ssh
Sun, 10/14/2018 - 03:04
amityweb

Ok will take a look. Thanks.

Thu, 10/18/2018 - 10:33
amityweb

In Webmin -> Users and Groups, I have a user I create for FTP. Their shell is set to /bin/false, BUT I can still login with their FTP?

Thu, 10/18/2018 - 10:36
amityweb

Just noticed /bin/false above does state they get FTP and not SSH.

I guess one of these may work: /usr/bin/scponly -> if I want them to have SFTP /dev/null -> no FTP or SFTP/SSH

Will try these

Thanks

Thu, 10/18/2018 - 10:37
amityweb

Oh I forgot to ask, if I disable shell does that mean any cron jobs as them wont run?

Thu, 10/18/2018 - 10:48
amityweb

scponly is allowing a user FTP also, so its no good. So I cant see how to allow SSH and/or SCP but not FTP.

Fri, 10/19/2018 - 11:21
jimdunn

Unless you disable FTP entirely, allowing any access usually allows FTP access.

I suppose you could add the user to the /etc/ftpusers file...

Fri, 10/19/2018 - 11:28
amityweb

I am really surprised by this.. considering FTP is not secure, I am surprised its enabled for all server owner users by default and no means to disable. The FTP login even links to the entire account directory, and not some sub-folder you want to use for FTP. I try to improve security on the server, and want to just have this one FTP login to go to a folder thats not even accessible under public_html, but I have to open all accounts FTPs to all their public_html folders in order to do it.

In features section there is ProFTP in there and I can choose to add it, like you can with Apache and all that, but when I go to Edit the server where you choose to enable Apache, SSL etc. there i no ProFTP option. I dont understand why its in features if its not used like that and everyone just gets it. It even shows no domains are using it, but then everyone is using it as they all get it by default.

Its a bizarre setup, and bizarre its enabled by default.

So yes I have had to add all users into /etc/ftpusers but this is not practical because everytime I add a new server I have to remember to add that user into the /etc/ftpusers. It really should be the other way around, disabled by default with a choice to enable it for certain users. I dont get why I need to give loads of users FTP access just so one person on the server can have it.

Something to improve in a future release maybe?

Thanks

Topic locked