I can't believe this didn't occur to me before.
Following on from a conversation on the Parallels forum, I've suddenly realised that system users (added with useradd) automatically get FTP access on a Plesk box.
This is significant because if you disable password authentication in sshd and only use keys, it is all to tempting to create such a user with a weak password. If it is really weak, the bad guys can eventually guess it, login via FTP, change the ssh key and BOOM, they have shell access.
There has to be more to it than just this, surely? What am I missing?
On top of that, users like asl-web and qscand don't get ftp access- they don't have passwords do they? So there has to be something more. Can someone tell me what that might be please?
system users getting automatic FTP access
system users getting automatic FTP access
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: system users getting automatic FTP access
No you cant log in with either of the ASL users by default. You can see for yourself by looking at your /etc/passwd file.On top of that, users like asl-web and qscand don't get ftp access- they don't have passwords do they?
asl-web103:107::/var/asl/www:/sbin/nologin
tortix104:108::/var/asl:/sbin/nologin
And the /etc/shadow file:
asl-web:!!:::::
tortix:!!:::::
As long as the password field is !!, then no password based login will work. If you add a password to a user like that (say apache, or nscd, etc.), then yes you can log into it (if the protocol supports password based authentication of course). Dont add passwords to those kinds of users, its completely unnecessary and will make it possible to log in to those users. With the !! (or *) in the hash field, no password will work and the account is essentially locked out.
And you can test this yourself.
Connected to server2 (192.168.1.249).
220 FTP Server ready.
Name (server2:user): tortix
331 Password required for tortix
Password:
530 Login incorrect.
Login failed.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
Connected to server2 (192.168.1.249).
220 FTP Server ready.
Name (server2:user): asl-web
331 Password required for asl-web
Password:
530 Login incorrect.
Login failed.
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone