LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices

Reply
 
Search this Thread
Old 05-19-2010, 09:16 AM   #1
the182guy
Member
 
Registered: Jan 2009
Posts: 40

Rep: Reputation: 15
proFTPd deny all except certain IP Addresses


How can I configure proFTPd to deny all unless:
  • User is part of group: ftpguys
  • Client IP matches either: 1.1.1.1 or 2.2.2.2 or 3.3.3.3

I already have the config file (proftpd.conf) setup to only allow users who are part of the group ftpguys. To do that I use this:

Code:
<Limit LOGIN>
AllowGroup ftpguys
DenyALL
</Limit>
The above works very well, but I want to specify three IP's that are allowed to login, nobody else. I've tried this but I did not work:

Code:
<Limit LOGIN>
Order Deny,Allow
Deny from all
Allow from 1.1.1.1
</Limit>
Any ideas? Thanks in advance
 
Old 05-19-2010, 09:40 AM   #2
grail
Guru
 
Registered: Sep 2009
Location: Perth
Distribution: Manjaro
Posts: 7,442

Rep: Reputation: 1880Reputation: 1880Reputation: 1880Reputation: 1880Reputation: 1880Reputation: 1880Reputation: 1880Reputation: 1880Reputation: 1880Reputation: 1880Reputation: 1880
Well a quick google yielded me:

http://www.castaglia.org/proftpd/modules/mod_ban.html
http://doxfer.com/Webmin/ProFTPDServ...s_by_IP_addres

I am sure one of these should point you in the right direction.
 
Old 05-19-2010, 10:15 AM   #3
the182guy
Member
 
Registered: Jan 2009
Posts: 40

Original Poster
Rep: Reputation: 15
Thanks grail. My webmin interface doesn't have the options for setting it up like I'm looking for.

Also I don't want to have to recompile proFTPd to enable mod_bans or any other. I know it can be done just from the config file, it's just a case of working out the correct syntax.

Here's an example that I'm trying to play with now.
Code:
  <Class friends>
    From 1.2.3.4/8
  </Class>

  <IfUser dave>
    <Limit LOGIN>
      AllowClass friends
      DenyAll
    </Limit>
  </IfUser>
 
Old 05-19-2010, 10:39 AM   #4
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,780
Blog Entries: 1

Rep: Reputation: 412Reputation: 412Reputation: 412Reputation: 412Reputation: 412
Would it be acceptable to do this in /etc/hosts.allow and /etc/hosts.deny? Assuming your hosts.deny is set to ALL/ALL, you could add the appropriate IP addresses to hosts.allow:

ftpd: 1.2.3.4/8

The only downside is that hosts.allow and hosts.deny may affect systems other than FTP, so you need to make sure needed ones are allowed as well.
 
Old 05-19-2010, 11:03 AM   #5
the182guy
Member
 
Registered: Jan 2009
Posts: 40

Original Poster
Rep: Reputation: 15
Thanks for the suggestions Hangdog. Unfortunately my proFTPd installation was not compiled with mod_wrap so I am not able to make use of hosts.allow or hosts.deny.

I think I have cracked it though... after trying every possible combination of syntax I could dream up I think I finally got it. This is what I have that appears to work:

Code:
<Limit LOGIN>
Deny from all
Allow from 1.1.1.1
Allow from 2.2.2.2
Allow from 3.3.3.3
</Limit>

<Limit LOGIN>
Deny from all
AllowGroup ftpguys
</Limit>
Any thoughts?
 
Old 05-19-2010, 03:35 PM   #6
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,780
Blog Entries: 1

Rep: Reputation: 412Reputation: 412Reputation: 412Reputation: 412Reputation: 412
The only concern I would have would be the use of two Limit stanzas. Of course I'm not an proftpd user, so I may be off base. Does something like this work:

Code:
<Limit LOGIN>
Deny from all
Allow from 1.1.1.1
Allow from 2.2.2.2
Allow from 3.3.3.3
AllowGroup ftpguys

</Limit>
You might also need an order Deny,Allow statement to get things to work the way you want.
 
Old 05-20-2010, 02:39 AM   #7
the182guy
Member
 
Registered: Jan 2009
Posts: 40

Original Poster
Rep: Reputation: 15
Hi Hangdog,

Thanks for the response, I did try the exact way you suggested. The problem with that way is it's an EITHER OR criteria. So if the user is part of ftpguys group then they are allowed to connect (from any IP). If a user connects from one of the listed IP's then that client can login with any user.

I have ran some tests using the way I posted and it seems to work. I have tried differen IP's and users with that are/are not part of ftpguys and it all seems to work as needed.
 
Old 05-20-2010, 06:40 AM   #8
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,780
Blog Entries: 1

Rep: Reputation: 412Reputation: 412Reputation: 412Reputation: 412Reputation: 412
Quote:
I have ran some tests using the way I posted and it seems to work. I have tried differen IP's and users with that are/are not part of ftpguys and it all seems to work as needed.
Well, working is the only thing that really matters, so if what you've done does the trick, I'd stick with it. Like I said, I'm not real familiar with proftpd so I'm doing a bit of guessing.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
deny addresses alsharifhoussam Linux - Server 2 08-07-2009 01:26 AM
pure-ftpd - allow/deny specific ip addresses proNick Linux - Server 3 08-04-2009 12:32 PM
Binding 2 NICs (MAC addresses) to 2 IP Addresses in same Subnet RedHat EL4.0 skhira Linux - Networking 13 02-24-2008 08:16 PM
mechanics of mapping process memory addresses to physical addresses on amd64 Tischbein Linux - Kernel 2 02-01-2007 08:09 PM
never_direct deny all vs. always_direct deny all simplyrahul Linux - General 1 02-16-2005 02:42 PM


All times are GMT -5. The time now is 04:26 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration