LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Slackware (http://www.linuxquestions.org/questions/slackware-14/)
-   -   Anonymous FTP for all, user FTP logins only for specific IP ranges (http://www.linuxquestions.org/questions/slackware-14/anonymous-ftp-for-all-user-ftp-logins-only-for-specific-ip-ranges-701499/)

Sjorrit 02-01-2009 05:28 PM

Anonymous FTP for all, user FTP logins only for specific IP ranges
 
Hello,

Is there a way to enable anonymous FTP access for everyone, yet restrict user logins to specific IP ranges? Preferably even on a per-user basis.

For example:
  • anonymous: everyone
  • jorrit: 208.77.188/8
  • exampleuser: 208.77.188/16
I couldn't find how to do this with either vsftpd or proftpd shipped by default with Slackware (and haven't looked into other ftp daemons).

My apologies in advance if this is really obvious.

Thanks,
Jorrit

tux_dude 02-01-2009 08:04 PM

Personally, I find giving FTP access to user account a security risk.

To your question, I am not aware of a solution. However, you can use proftpd with mysql and setup specific FTP accounts. You will have to enable mysql when compiling proftd. You can then jail the required user to a specific directory. Not exactly what you're looking for, but that might help.

Just thought of this will I was typing. You can also create multiple profile in your proftd config file with different ports. Then use your firewall to restrict access to specific IP on your user port (say 21 for anonymous and 2100 for authorized users). You will have to inform your authorized users to use the specified port when connecting.

Sjorrit 02-01-2009 11:11 PM

Quote:

Originally Posted by tux_dude (Post 3428603)
Personally, I find giving FTP access to user account a security risk.

I'm not too fond of it either... one of the reasons I want to restrict it to certain IPs in the first place :-)

Quote:

Originally Posted by tux_dude (Post 3428603)
To your question, I am not aware of a solution. However, you can use proftpd with mysql and setup specific FTP accounts. You will have to enable mysql when compiling proftd. You can then jail the required user to a specific directory. Not exactly what you're looking for, but that might help.

Well that's just a virtual user using a MySQL backend if I understand it correctly? I don't mind using 'real' users accounts.

Quote:

Originally Posted by tux_dude (Post 3428603)
Just thought of this will I was typing. You can also create multiple profile in your proftd config file with different ports. Then use your firewall to restrict access to specific IP on your user port (say 21 for anonymous and 2100 for authorized users). You will have to inform your authorized users to use the specified port when connecting.

Mmm that's not ideal but the next best thing I suppose. Thanks for thinking along with me. It's also possible to launch two vsftpds from inetd probably; vsftpd lacks multiple profile support though.

Still... if someone knows a 'perfect' solution or can confirm it's just not possible, please let me know :-)

Greets,
Jorrit

mRgOBLIN 02-02-2009 01:56 AM

I prefer pure-ftpd myself and it can do what you want.. well it can restrict each account to one IP address an also supports quotas and bandwidth restrictions.

Sjorrit 02-02-2009 04:51 AM

Quote:

Originally Posted by mRgOBLIN (Post 3428786)
I prefer pure-ftpd myself and it can do what you want.. well it can restrict each account to one IP address an also supports quotas and bandwidth restrictions.

Aye indeed... but it seems ProFTPD also supports it. I can't believe I've overlooked it:

Code:

  <Class friends>
    From !1.2.3.4/8
  </Class>

  <IfUser dave>
    <Limit LOGIN>
      AllowClass friends
      DenyAll
    </Limit>
  </IfUser>

Thanks and greetings,
Jorrit

Count Zero 04-19-2009 04:41 AM

Hi,

I tried this solution and it works just fine when I state a full IP address. However, I'd like to restrict login to a range, thus using wildcards in the restriction. I tried it like so:
Code:

<Class USER-IP>
  From !1.2.3.*
</Class>

<IfUser USER>
  <Limit LOGIN>
      AllowClass USER-IP
      DenyAll
  </Limit>
</IfUser>

This, I had hoped, would allow my USER to log in even though his dynamic allocated IP means that the last figure on the address change from time to time but with this configuration USER is denied access. Does anyone know what I'm doing wrong here?

Thanks!
/CZ

Suncoast 04-19-2009 05:40 PM

Have you tried shifting the mask?

Ex: From !1.2.3.0/24

Suncoast 04-19-2009 05:49 PM

You do know the ! means NOT from.

So "From 1.2.3.0/24" would specify IP's
1.2.3.0 to 1.2.3.255.

And "From !1.2.3.0/24" would specify everything
EXCEPT 1.2.3.0 to 1.2.3.255.

Count Zero 04-20-2009 10:02 AM

Quote:

Originally Posted by Suncoast (Post 3514442)
You do know the ! means NOT from.

So "From 1.2.3.0/24" would specify IP's
1.2.3.0 to 1.2.3.255.

And "From !1.2.3.0/24" would specify everything
EXCEPT 1.2.3.0 to 1.2.3.255.

Sorry, my bad. Yes, I know ! means NOT and in my config I don't have the ! (I copied and pasted and edited the example *slams hand to forehead*. Still, that is not the issue in my case).

Anyway, no, I haven't tried to shift the mask because I might want to restrict it to the last two series of digits (i.e. 1.2.*.*). However, I'll give it a go for the ones where I only need a wildcard on the last series of digit and post back my findings.

Thanks
/CZ

EDIT: Specifying a range using 1.2.3.0/24 seems to work. I'll see if I can work something out out for specifying range for 1.2.*.*. /Thanks!

Suncoast 04-20-2009 11:01 AM

You're not limited to classful networks. So if you wanted 172.16.128.0 to 172.16.255.255, you would use 172.16.128.0/17. Or say you only wanted to allow everyone from your local cable company, you can do a whois lookup to see what their netblock is and permit that entire block. For example;

Code:

$ whois 209.216.72.18
Internet Junction Corporation INJU (NET-209-216-64-0-1)
                                  209.216.64.0 - 209.216.95.255

# ARIN WHOIS database, last updated 2009-04-19 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.


$ whois NET-209-216-64-0-1

OrgName:    Internet Junction Corporation
OrgID:      INJU
Address:    12807 W. Hillsborough Ave, Unit K
City:      Tampa
StateProv:  FL
PostalCode: 33635
Country:    US

NetRange:  209.216.64.0 - 209.216.95.255
CIDR:      209.216.64.0/19  <<<<<<<<<<<<<<<<<<There's the Net to use
NetName:    INJU
NetHandle:  NET-209-216-64-0-1
(SNIP)


Count Zero 04-21-2009 01:04 PM

Thanks for the reply Suncoast.

I did some reading up and learned a few things about CIDR (up from zero knowledge so that didn't take much) and I think I got a hang of how CIDR works when assigning/dividing ranges of IP addresses.

However, when I do a whois on a computer I want to add (or at least one with a very similar IP) I get this:

Code:

% This is the RIPE Whois query server #2.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html

% Note: This output has been filtered.
%      To receive output for a database update, use the "-B" flag

% Information related to '83.248.0.0 - 83.248.207.255'

inetnum:        83.248.0.0 - 83.248.207.255
netname:        COMHEM-CUSTOMER
descr:          Com Hem customer broadband access
descr:          ISP
descr:          ********************************
                Abuse & intrusion reports should be done online at:
                http://www.comhem.se/portal/comhem/kundservice_abuse
                ********************************
country:        SE
admin-c:        CH1252-RIPE
tech-c:        CH1252-RIPE
status:        ASSIGNED PA
mnt-by:        COMHEM-MNT
source:        RIPE # Filtered

role:          Com Hem LIR
address:        Com Hem AB
                Visiting: Fleminggatan 18
                P.O. Box 8093
                SE-104 20  STOCKHOLM
                SWEDEN
remarks:        ********************************
                Abuse & intrusion reports should be done online at:
                http://www.comhem.se/portal/comhem/kundservice_abuse
                ********************************
phone:          +46 8 55363000
fax-no:        +46 8 6601640
abuse-mailbox:  abuse@comhem.com
org:            ORG-chA1-RIPE
admin-c:        NA1607-RIPE
tech-c:        HL1251-RIPE
nic-hdl:        CH1252-RIPE
mnt-by:        COMHEM-MNT
source:        RIPE # Filtered

% Information related to '83.248.0.0/13AS39651'

route:          83.248.0.0/13        <<<<<<<<<<<<<<<<<<<<< This one?
descr:          SE-COMHEM
origin:        AS39651
mnt-by:        COMHEM-MNT
source:        RIPE # Filtered

Now, I can't make heads and tails this as I don't get a CIDR address and I don't get any nethandle that you used to do your second whois look-up (where you got the CIDR).

Is it the route that I should use to allow the entire netblock?

Thanks!
/CZ

Suncoast 04-22-2009 11:57 AM

That route will work, but understand that is a very large network block. Over 1/2 Million hosts. I did poke around and that entire block does seem to be assigned to the same ISP.

Using default routes will not always work, as they often point to several networks. Sometimes groups of entire countries.


If you're goal is to restrict access to your local town, region, etc, you might want to call the ISP and ask if they have a single local subnetwork and netmask you can use.

Steve

Count Zero 04-22-2009 02:09 PM

Quote:

Originally Posted by Suncoast (Post 3517441)
That route will work, but understand that is a very large network block. Over 1/2 Million hosts. I did poke around and that entire block does seem to be assigned to the same ISP.

Using default routes will not always work, as they often point to several networks. Sometimes groups of entire countries.


If you're goal is to restrict access to your local town, region, etc, you might want to call the ISP and ask if they have a single local subnetwork and netmask you can use.

Steve

Ok, I think I'm figuring it all out (well, maybe not all but hopefully enough to get by ;) )

This is among Sweden's top ten IPS so it's probably more or less their entire network range. My friend IP is A.B.C.D. If I'd go for something like A.B.C.0/17 that would entail some 32000 hosts plus change, right? A bit slimmer than doing the entire A.B.0.0/13, which I've gathered is 8 full class B networks. But would A.B.C.0/17 necessarily include my friends dynamic IP when it changes? I.e. how likely is the C part of the IP to remain the same after he's been re-assigned a new IP?

Thanks for the help, it means a lot.
/CZ

Suncoast 04-22-2009 05:06 PM

You're right about the hosts. 2^15=32,768(-2).

On your subnet mask, C would likely get mangled unless it is a low number. The ISP is not likely to change the "C" octet by much. If no information is coming from the ISP, the trick is to get your subnet ID as close as possible by guessing. Hopefully, the following will explain which numbers to use. Pick how large a block you want, then finish that section until the IP address you have is in range. Of course, replace the x.x with the first two octets of the IP address.

Warning. You just have to stare at this for a minute, thinking number patterns, and it suddenly makes sense.

If netmask of /17 (255.255.128.0)
x.x.0.0 to x.x.127.255 would be x.x.0.0/17
x.x.128.0 to x.x.255.255 would be x.x.128.0/17
(Complete)

If netmask of /18 (255.255.192.0) (16,384 hosts each)
x.x.0.0 to x.x.63.255 would be x.x.0.0/18
x.x.64.0 to x.x.127.255 would be x.x.64.0/18
x.x.128.0 to x.x.191.255 would be x.x.128.0/18
x.x.192.0 to x.x.255.255 would be x.x.192.0/18
(Complete)

if /19 (255.255.224.0) (8,192 hosts each)
x.x.0.0 to x.x.31.255 would be x.x.0.0/19
x.x.32.0 to x.x.63.255 would be x.x.32.0/19
And so on, increment each line by 32.

if /20 (255.255.240.0)(4,096 hosts each)
x.x.0.0 to x.x.15.255 would be x.x.0.0/20
x.x.16.0 to x.x.31.255 would be x.x.16.0/20
And so on increment each line by 16.

So if your 3rd octet (C) was 34, you would use either
x.x.0.0/17 or
x.x.0.0/18 or
x.x.32.0/19 or
x.x.32.0/20

Count Zero 04-23-2009 03:27 PM

Yes, it does take some staring, sort of like those 3D pictures that was popular a couple of years ago but I DO see the logic in it. It's quite beautiful once one see the rationality of it.

Restricting it to 8192 hosts should be good, the third octet on his current IP would then be about in the middle of the range it encompasses and hopefully that'll do the trick when it changes.


Suncoast, you have been to a tremendous help and I've learned a lot. Thanks!

/CZ


All times are GMT -5. The time now is 09:44 PM.