Prevent users from logging into your system

If you are a system administrator who allows remote access to your server or desktop, you may want to disable certain users from logging into the system both remotely and locally. This article will explain how to prevent certain users from logging into your Linux machine via SSH (OpenSSH_4.4p1) and FTP (vsftpd 2.0.5).

First we must understand that in most cases there are two different ways an allowed user may be logging into your Linux server.

  1. Secure Shell (SSH)
  2. File Transfer (FTP)

Preventing access to the SSH server:

The best and most secure practice of running an SSH server is to tighten the hatches as much as possible. In this example, I will show you how to edit your sshd_config file and allow only certain users (except “joe”) to access the system via SSH. Now, lets say that you want to prevent the user “joe” from logging into SSH, but you still want him to be able to access the machine via FTP. Here is what you would do:

  • Open /etc/ssh/sshd_config in your favorite text editor.
    • vim /etc/ssh/sshd
  • Add a line that says AllowUsers
    • AllowUsers adamk tim sean jacob dave
    • Note that joe is not included here.
    • Save the sshd_config file.
    • Restart your sshd daemon.

Another (quick) way to do this in one simple command is:

    • echo “AllowUsers adamk tim sean jacob dave” >> /etc/sshd/sshd_config

This modification to /etc/sshd/sshd_config will allow Joe to access your system via FTP only.

Preventing access to the FTP server:

Now lets look at how to prevent the user “joe” from logging into your server via FTP. Here is what you would do:

  • Open /etc/ftpusers in your favorite text editor.
    • vim /etc/ftpusers
  • Add “joe” to the bottom of the file.
    • Save the file.
    • Joe will now be unable to login via FTP to your machine.

Completely disable a users access:

To completely disable the user “joe” from accessing the system here is what you would do:

  • Open /etc/passwd in your favorite text editor.
    • vim /etc/passwd
  • Locate the line that starts with “joe”.
    • joe:x:1000:100:Joe,,,:/home/joe:/bin/bash
  • Change the “x” to a “*”
    • joe:*:1000:100:Joe,,,:/home/joe:/bin/bash
  • Save the file.
  • Joe is now locked out of the machine.

Another (quick) way to lock a users access is:

  • passwd -l joe

Conclusion:

It is important to be able to quickly lock a user out of your system at any given time. Knowing these three different ways of preventing access to FTP and SSH for a certain user is crucial to your system administration knowledge and I hope that you use this knowledge to better secure your system.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>