Skip to content

restrict ftp access to AIX host

I am not going to discuss the “cons” of using ftp – they are pretty much known to all involved with UNIX in general. Still, for some ftp is “a must” and for various reasons it has to be used.

To completely disable ftp access is easy. Just comment out or remove the following two line in the file /etc/inetd.conf and both ftp and its simpler version tftp.

ftp     stream  tcp6    nowait  root    /usr/sbin/ftpd     ftpd
tftp    dgram   udp6    SRC     nobody  /usr/sbin/tftpd    tftpd -n

Follow these “edits” with refresh -s inetd and these services will be disabled on the host.

In order to allow ftp access to a particular user or users, system administrator has to leave the two daemons in place (ftp daemons are left operational).
Contrary to cron access control, ftp instead of two access control files (for cron they are cron.allow and cron.deny) there is only one ftp access control file. This file is called /etc/ftpusers. Its syntax is identical to cron access files – one login name per line.

AIX being itself has a special command to manipulate contents of this file. This command is called ruser.

For example, to allow only the users brickj and bondj access to ftp, system administrator may do the following.

Process the /etc/passwd file to create corresponding entries in the /etc/ftpusers:

for user in `cat /etc/passwd | awk -F ':' '{print $1}'`
    ruser -a -f $user

The same can be done without cat and awk:

for user in `lsuser -a ALL`
    ruser -a -f $user

At this moment nobody can ftp! So, brickj and bondj login names have to be removed from ftpusers file.

ruser -d -f brickj; ruser -d -f bondj

Anything left? Yes, test it!!! Does ftp work only for brickj and bondj on this machine?

Posted in Real life AIX.

Tagged with , , , , .

One Response

Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.

  1. Andy Wojnarek says

    I would recommend also using tcpwrappers.

Some HTML is OK

or, reply to this post via trackback.

WordPress Anti Spam by WP-SpamShield

Copyright © 2016 - 2017 Waldemar Mark Duszyk. All Rights Reserved. Created by Blog Copyright.