I have an AWS Amazon Linux EC2 instance running with sftp/ftp server (vsftp).
For security purposes I want to protect the system with the best practise solution for AWS instances. My goal is to allow one group with some users for ssh access (incl. the authentication key) and disallow all other users from ssh. Another group should be allowed to access sftp and ftp.
I saw PAM is activated in the default sshd_config of the AMI.
Lets say you've got 2 groups in /etc/passwd:
ssh_usersftp_usersTo permit only ssh_users to login over SSH add this line to /etc/ssh/sshd_config:
AllowGroups ssh_users
From man sshd_config: AllowGroups - If specified, login is allowed only for users whose primary group or supplementary group list matches one of the patterns.
To permit FTP login only for members of ftp_users group you can for example use pam_listfile (see man pam_listfile for details).
First write the group name to e.g. /etc/pam.d/vsftpd-groups.conf
~ # echo ftp_users > /etc/pam.d/vsftpd-groups.conf
Then add pam_listfile to your /etc/pam.d/vsftpd file:
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
>> auth required pam_listfile.so item=group sense=allow file=/etc/pam.d/group-access.conf onerr=fail
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
>> account required pam_listfile.so item=group sense=allow file=/etc/pam.d/group-access.conf onerr=fail
account required pam_permit.so
You should also look at the EC2 instance Security Group and only permit access from known IP addresses of your SSH or FTP users if that's possible.
That should do.
