LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (http://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   proFTPd deny all except certain IP Addresses (http://www.linuxquestions.org/questions/linux-newbie-8/proftpd-deny-all-except-certain-ip-addresses-808850/)

the182guy 05-19-2010 09:16 AM

proFTPd deny all except certain IP Addresses
 
How can I configure proFTPd to deny all unless:
  • User is part of group: ftpguys
  • Client IP matches either: 1.1.1.1 or 2.2.2.2 or 3.3.3.3

I already have the config file (proftpd.conf) setup to only allow users who are part of the group ftpguys. To do that I use this:

Code:

<Limit LOGIN>
AllowGroup ftpguys
DenyALL
</Limit>

The above works very well, but I want to specify three IP's that are allowed to login, nobody else. I've tried this but I did not work:

Code:

<Limit LOGIN>
Order Deny,Allow
Deny from all
Allow from 1.1.1.1
</Limit>

Any ideas? Thanks in advance

grail 05-19-2010 09:40 AM

Well a quick google yielded me:

http://www.castaglia.org/proftpd/modules/mod_ban.html
http://doxfer.com/Webmin/ProFTPDServ...s_by_IP_addres

I am sure one of these should point you in the right direction.

the182guy 05-19-2010 10:15 AM

Thanks grail. My webmin interface doesn't have the options for setting it up like I'm looking for.

Also I don't want to have to recompile proFTPd to enable mod_bans or any other. I know it can be done just from the config file, it's just a case of working out the correct syntax.

Here's an example that I'm trying to play with now.
Code:

  <Class friends>
    From 1.2.3.4/8
  </Class>

  <IfUser dave>
    <Limit LOGIN>
      AllowClass friends
      DenyAll
    </Limit>
  </IfUser>


Hangdog42 05-19-2010 10:39 AM

Would it be acceptable to do this in /etc/hosts.allow and /etc/hosts.deny? Assuming your hosts.deny is set to ALL/ALL, you could add the appropriate IP addresses to hosts.allow:

ftpd: 1.2.3.4/8

The only downside is that hosts.allow and hosts.deny may affect systems other than FTP, so you need to make sure needed ones are allowed as well.

the182guy 05-19-2010 11:03 AM

Thanks for the suggestions Hangdog. Unfortunately my proFTPd installation was not compiled with mod_wrap so I am not able to make use of hosts.allow or hosts.deny.

I think I have cracked it though... after trying every possible combination of syntax I could dream up I think I finally got it. This is what I have that appears to work:

Code:


<Limit LOGIN>
Deny from all
Allow from 1.1.1.1
Allow from 2.2.2.2
Allow from 3.3.3.3
</Limit>

<Limit LOGIN>
Deny from all
AllowGroup ftpguys
</Limit>

Any thoughts?

Hangdog42 05-19-2010 03:35 PM

The only concern I would have would be the use of two Limit stanzas. Of course I'm not an proftpd user, so I may be off base. Does something like this work:

Code:

<Limit LOGIN>
Deny from all
Allow from 1.1.1.1
Allow from 2.2.2.2
Allow from 3.3.3.3
AllowGroup ftpguys

</Limit>

You might also need an order Deny,Allow statement to get things to work the way you want.

the182guy 05-20-2010 02:39 AM

Hi Hangdog,

Thanks for the response, I did try the exact way you suggested. The problem with that way is it's an EITHER OR criteria. So if the user is part of ftpguys group then they are allowed to connect (from any IP). If a user connects from one of the listed IP's then that client can login with any user.

I have ran some tests using the way I posted and it seems to work. I have tried differen IP's and users with that are/are not part of ftpguys and it all seems to work as needed.

Hangdog42 05-20-2010 06:40 AM

Quote:

I have ran some tests using the way I posted and it seems to work. I have tried differen IP's and users with that are/are not part of ftpguys and it all seems to work as needed.
Well, working is the only thing that really matters, so if what you've done does the trick, I'd stick with it. Like I said, I'm not real familiar with proftpd so I'm doing a bit of guessing.


All times are GMT -5. The time now is 12:50 PM.