contoh kasus :
saya ingin membuat user ftp dengan nama dwhftp yang hanya bisa mengakses directory /performance4/data/smsmenu sebagai home directorynya, serta hanya bisa menggunakan service ftp saja.
berikut langkah-langkahnya :
1. siapkan user untuk ftp. misal = dwhftp
2. Login as root
# su –3. backup ftpusers list
# mv /etc/ftpd/ftpusers /etc/ftpd/ftpusers.bu4. create /bin/ftponly
# echo 'echo "This account only allows FTP Access."' > /bin/ftponly # chmod a+x /bin/ftponly5.jika ada /etc/shell, maka tambahkan /bin/ftpuser pada baris terakhir, jika tidak maka jalankan command ini
# ls /bin/*sh > /etc/shellskemudian tambahkan /bin/ftpuser pada baris terakhir di /etc/shells
6. create user ftpnya :
# useradd -c "dwhftp" -d /performance4/data/smsmenu -m -s /bin/ftponly -g staff dwhftp7. masukkan password
# passwd dwhftp8. user yang tidak di ijinkan untuk menggunakan ftp maka tambahkan di /etc/ftpd/ftpusers atau di /etc/ftpusers
# cat /etc/passwd|cut -f 1 -d: > /etc/ftpd/ftpusers (not recommended way /cara kasar) atau add user "ftpuser" manually into /etc/ftpd/ftpusers (recommended way /cara halus)hasilnya adalah sebagai berikut :
bash-3.00# cat /etc/ftpd/ftpusers root daemon bin sys adm lp uucp nuucp smmsp listen gdm webservd postgres svctag nobody noaccess nobody4 peremeks ftpuser pangky sumadi agung hadoop itbss perf perf123 hesra hwi poi oracle helpdesk reva achid dwh #dwhftp9. untuk melakukan restriction pada directory user maka edit /etc/ftpd/ftpaccess,lalu tambahkan :
allow-retrieve relative class=realusers /performance4/data/smsmenu
restricted-uid dwhftpcaranya :
vi /etc/ftpd/ftpaccess
# vi /etc/ftpd/ftpaccess "/etc/ftpd/ftpaccess" 61 lines, 1608 characters # ident "@(#)ftpaccess 1.2 03/05/14 SMI" # # FTP server configuration file, see ftpaccess(4). # class realusers real * class guestusers guest * class anonusers anonymous * loginfails 3 passwd-check trivial warn private no shutdown /etc/ftpd/shutdown.msg # email user@hostname # guestuser username # rhostlookup no keepalive yes recvbuf 65536 real,guest,anonymous sendbuf 65536 real,guest,anonymous # flush-wait no anonymous # passive ports 0.0.0.0/0 32768 65535 # timeout data 600 # timeout idle 300 banner /etc/ftpd/banner.msg greeting brief message /etc/ftpd/welcome.msg login message .message cwd=* readme README* login readme README* cwd=* # quota-info * chmod no anonymous delete no anonymous overwrite no anonymous rename no anonymous umask no anonymous compress yes realusers guestusers anonusers tar yes realusers guestusers anonusers path-filter guest,anonymous /etc/ftpd/filename.msg ^[[:alnum:]._-]*$ ^[.-] noretrieve relative class=anonusers / allow-retrieve relative class=anonusers /pub upload class=anonusers * * no nodirs # upload class=anonusers * /incoming yes ftpadm ftpadm 0440 nodirs # log commands real,guest,anonymous # log security real,guest,anonymous # log transfers real,guest,anonymous inbound,outbound # xferlog format %T %Xt %R %Xn %XP %Xy %Xf %Xd %Xm %U ftp %Xa %u %Xc %Xs %Xr # limit-time anonymous 30 # limit anonusers 10 Wk0730-1800 /etc/ftpd/toomany.msg # limit anonusers 50 SaSu|Any1800-0730 /etc/ftpd/toomany.msg allow-retrieve relative class=realusers /performance4/data/smsmenu restricted-uid dwhftp
10. Restart ftp daemon
# svcadm restart ftp11. user login via ftp, maka akan terlihat "/performance4/data/smsmenu" sebagai "/"
perf123@jkt-svr-nocmed01:~-> ftp 172.16.3.14 Connected to 172.16.3.14. 220 jkt-svr-nocmed01 FTP server ready. Name (172.16.3.14:perf123): dwhftp 331 Password required for dwhftp. Password: 230 User dwhftp logged in. Remote system type is UNIX. Using binary mode to transfer files. ftp> pwd 257 "/" is current directory. ftp>
0 comments:
Post a Comment