Super mega lock

From Tronche's wiki
Jump to: navigation, search
usermod --lock --expiredate 1 --shell /bin/false
  • If account is expired with expiredate
    • crontabs won't start.
    • ssh login is rejected
  • If shell is /bin/false
    • No way to log with ssh (obviously)
    • mailfilter (maildrop) won't work

Hardened sftp-only account

In sshd_config:

#Subsystem sftp /usr/lib/openssh/sftp-server

At the end of sshd_config:

Subsystem sftp internal-sftp
Match User toto
      ChrootDirectory %h/b # par ex
      AllowTCPForwarding no
      X11Forwarding no
      ForceCommand internal-sftp

NB %h/b (home/b) must be owned by root. sftp should never go to the home directory, or an attacker gaining control of the client computer can change authentication keys.


 usermod --shell /bin/false
Personal tools