LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices

Reply
 
Search this Thread
Old 02-01-2009, 05:28 PM   #1
Sjorrit
LQ Newbie
 
Registered: Nov 2004
Distribution: Slackware, Slamd64
Posts: 10

Rep: Reputation: 2
Question Anonymous FTP for all, user FTP logins only for specific IP ranges


Hello,

Is there a way to enable anonymous FTP access for everyone, yet restrict user logins to specific IP ranges? Preferably even on a per-user basis.

For example:
  • anonymous: everyone
  • jorrit: 208.77.188/8
  • exampleuser: 208.77.188/16
I couldn't find how to do this with either vsftpd or proftpd shipped by default with Slackware (and haven't looked into other ftp daemons).

My apologies in advance if this is really obvious.

Thanks,
Jorrit
 
Old 02-01-2009, 08:04 PM   #2
tux_dude
Member
 
Registered: Dec 2008
Distribution: Slackware64 Current
Posts: 226

Rep: Reputation: 33
Personally, I find giving FTP access to user account a security risk.

To your question, I am not aware of a solution. However, you can use proftpd with mysql and setup specific FTP accounts. You will have to enable mysql when compiling proftd. You can then jail the required user to a specific directory. Not exactly what you're looking for, but that might help.

Just thought of this will I was typing. You can also create multiple profile in your proftd config file with different ports. Then use your firewall to restrict access to specific IP on your user port (say 21 for anonymous and 2100 for authorized users). You will have to inform your authorized users to use the specified port when connecting.

Last edited by tux_dude; 02-01-2009 at 08:06 PM.
 
Old 02-01-2009, 11:11 PM   #3
Sjorrit
LQ Newbie
 
Registered: Nov 2004
Distribution: Slackware, Slamd64
Posts: 10

Original Poster
Rep: Reputation: 2
Quote:
Originally Posted by tux_dude View Post
Personally, I find giving FTP access to user account a security risk.
I'm not too fond of it either... one of the reasons I want to restrict it to certain IPs in the first place :-)

Quote:
Originally Posted by tux_dude View Post
To your question, I am not aware of a solution. However, you can use proftpd with mysql and setup specific FTP accounts. You will have to enable mysql when compiling proftd. You can then jail the required user to a specific directory. Not exactly what you're looking for, but that might help.
Well that's just a virtual user using a MySQL backend if I understand it correctly? I don't mind using 'real' users accounts.

Quote:
Originally Posted by tux_dude View Post
Just thought of this will I was typing. You can also create multiple profile in your proftd config file with different ports. Then use your firewall to restrict access to specific IP on your user port (say 21 for anonymous and 2100 for authorized users). You will have to inform your authorized users to use the specified port when connecting.
Mmm that's not ideal but the next best thing I suppose. Thanks for thinking along with me. It's also possible to launch two vsftpds from inetd probably; vsftpd lacks multiple profile support though.

Still... if someone knows a 'perfect' solution or can confirm it's just not possible, please let me know :-)

Greets,
Jorrit
 
Old 02-02-2009, 01:56 AM   #4
mRgOBLIN
Slackware Contributor
 
Registered: Jun 2002
Location: New Zealand
Distribution: Slackware
Posts: 999

Rep: Reputation: 227Reputation: 227Reputation: 227
I prefer pure-ftpd myself and it can do what you want.. well it can restrict each account to one IP address an also supports quotas and bandwidth restrictions.
 
Old 02-02-2009, 04:51 AM   #5
Sjorrit
LQ Newbie
 
Registered: Nov 2004
Distribution: Slackware, Slamd64
Posts: 10

Original Poster
Rep: Reputation: 2
Quote:
Originally Posted by mRgOBLIN View Post
I prefer pure-ftpd myself and it can do what you want.. well it can restrict each account to one IP address an also supports quotas and bandwidth restrictions.
Aye indeed... but it seems ProFTPD also supports it. I can't believe I've overlooked it:

Code:
  <Class friends>
    From !1.2.3.4/8
  </Class>

  <IfUser dave>
    <Limit LOGIN>
      AllowClass friends
      DenyAll
    </Limit>
  </IfUser>
Thanks and greetings,
Jorrit
 
Old 04-19-2009, 04:41 AM   #6
Count Zero
Member
 
Registered: Feb 2008
Distribution: Debian wheezy
Posts: 130

Rep: Reputation: 15
Hi,

I tried this solution and it works just fine when I state a full IP address. However, I'd like to restrict login to a range, thus using wildcards in the restriction. I tried it like so:
Code:
<Class USER-IP>
   From !1.2.3.*
</Class>

<IfUser USER>
   <Limit LOGIN>
      AllowClass USER-IP
      DenyAll
   </Limit>
</IfUser>
This, I had hoped, would allow my USER to log in even though his dynamic allocated IP means that the last figure on the address change from time to time but with this configuration USER is denied access. Does anyone know what I'm doing wrong here?

Thanks!
/CZ
 
Old 04-19-2009, 05:40 PM   #7
Suncoast
Member
 
Registered: Apr 2009
Location: Largo, Florida
Distribution: Slackware
Posts: 202

Rep: Reputation: 35
Have you tried shifting the mask?

Ex: From !1.2.3.0/24
 
Old 04-19-2009, 05:49 PM   #8
Suncoast
Member
 
Registered: Apr 2009
Location: Largo, Florida
Distribution: Slackware
Posts: 202

Rep: Reputation: 35
You do know the ! means NOT from.

So "From 1.2.3.0/24" would specify IP's
1.2.3.0 to 1.2.3.255.

And "From !1.2.3.0/24" would specify everything
EXCEPT 1.2.3.0 to 1.2.3.255.
 
Old 04-20-2009, 10:02 AM   #9
Count Zero
Member
 
Registered: Feb 2008
Distribution: Debian wheezy
Posts: 130

Rep: Reputation: 15
Quote:
Originally Posted by Suncoast View Post
You do know the ! means NOT from.

So "From 1.2.3.0/24" would specify IP's
1.2.3.0 to 1.2.3.255.

And "From !1.2.3.0/24" would specify everything
EXCEPT 1.2.3.0 to 1.2.3.255.
Sorry, my bad. Yes, I know ! means NOT and in my config I don't have the ! (I copied and pasted and edited the example *slams hand to forehead*. Still, that is not the issue in my case).

Anyway, no, I haven't tried to shift the mask because I might want to restrict it to the last two series of digits (i.e. 1.2.*.*). However, I'll give it a go for the ones where I only need a wildcard on the last series of digit and post back my findings.

Thanks
/CZ

EDIT: Specifying a range using 1.2.3.0/24 seems to work. I'll see if I can work something out out for specifying range for 1.2.*.*. /Thanks!

Last edited by Count Zero; 04-20-2009 at 12:51 PM.
 
Old 04-20-2009, 11:01 AM   #10
Suncoast
Member
 
Registered: Apr 2009
Location: Largo, Florida
Distribution: Slackware
Posts: 202

Rep: Reputation: 35
You're not limited to classful networks. So if you wanted 172.16.128.0 to 172.16.255.255, you would use 172.16.128.0/17. Or say you only wanted to allow everyone from your local cable company, you can do a whois lookup to see what their netblock is and permit that entire block. For example;

Code:
$ whois 209.216.72.18
Internet Junction Corporation INJU (NET-209-216-64-0-1)
                                  209.216.64.0 - 209.216.95.255

# ARIN WHOIS database, last updated 2009-04-19 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.


$ whois NET-209-216-64-0-1

OrgName:    Internet Junction Corporation
OrgID:      INJU
Address:    12807 W. Hillsborough Ave, Unit K
City:       Tampa
StateProv:  FL
PostalCode: 33635
Country:    US

NetRange:   209.216.64.0 - 209.216.95.255
CIDR:       209.216.64.0/19   <<<<<<<<<<<<<<<<<<There's the Net to use
NetName:    INJU
NetHandle:  NET-209-216-64-0-1
(SNIP)
 
Old 04-21-2009, 01:04 PM   #11
Count Zero
Member
 
Registered: Feb 2008
Distribution: Debian wheezy
Posts: 130

Rep: Reputation: 15
Thanks for the reply Suncoast.

I did some reading up and learned a few things about CIDR (up from zero knowledge so that didn't take much) and I think I got a hang of how CIDR works when assigning/dividing ranges of IP addresses.

However, when I do a whois on a computer I want to add (or at least one with a very similar IP) I get this:

Code:
% This is the RIPE Whois query server #2.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html

% Note: This output has been filtered.
%       To receive output for a database update, use the "-B" flag

% Information related to '83.248.0.0 - 83.248.207.255'

inetnum:        83.248.0.0 - 83.248.207.255
netname:        COMHEM-CUSTOMER
descr:          Com Hem customer broadband access
descr:          ISP
descr:          ********************************
                Abuse & intrusion reports should be done online at:
                http://www.comhem.se/portal/comhem/kundservice_abuse
                ********************************
country:        SE
admin-c:        CH1252-RIPE
tech-c:         CH1252-RIPE
status:         ASSIGNED PA
mnt-by:         COMHEM-MNT
source:         RIPE # Filtered

role:           Com Hem LIR
address:        Com Hem AB
                Visiting: Fleminggatan 18
                P.O. Box 8093
                SE-104 20  STOCKHOLM
                SWEDEN
remarks:        ********************************
                Abuse & intrusion reports should be done online at:
                http://www.comhem.se/portal/comhem/kundservice_abuse
                ********************************
phone:          +46 8 55363000
fax-no:         +46 8 6601640
abuse-mailbox:  abuse@comhem.com
org:            ORG-chA1-RIPE
admin-c:        NA1607-RIPE
tech-c:         HL1251-RIPE
nic-hdl:        CH1252-RIPE
mnt-by:         COMHEM-MNT
source:         RIPE # Filtered

% Information related to '83.248.0.0/13AS39651'

route:          83.248.0.0/13        <<<<<<<<<<<<<<<<<<<<< This one?
descr:          SE-COMHEM
origin:         AS39651
mnt-by:         COMHEM-MNT
source:         RIPE # Filtered
Now, I can't make heads and tails this as I don't get a CIDR address and I don't get any nethandle that you used to do your second whois look-up (where you got the CIDR).

Is it the route that I should use to allow the entire netblock?

Thanks!
/CZ
 
Old 04-22-2009, 11:57 AM   #12
Suncoast
Member
 
Registered: Apr 2009
Location: Largo, Florida
Distribution: Slackware
Posts: 202

Rep: Reputation: 35
That route will work, but understand that is a very large network block. Over 1/2 Million hosts. I did poke around and that entire block does seem to be assigned to the same ISP.

Using default routes will not always work, as they often point to several networks. Sometimes groups of entire countries.


If you're goal is to restrict access to your local town, region, etc, you might want to call the ISP and ask if they have a single local subnetwork and netmask you can use.

Steve

Last edited by Suncoast; 04-22-2009 at 12:11 PM. Reason: Removed a paragraph I'm not sure about.
 
Old 04-22-2009, 02:09 PM   #13
Count Zero
Member
 
Registered: Feb 2008
Distribution: Debian wheezy
Posts: 130

Rep: Reputation: 15
Quote:
Originally Posted by Suncoast View Post
That route will work, but understand that is a very large network block. Over 1/2 Million hosts. I did poke around and that entire block does seem to be assigned to the same ISP.

Using default routes will not always work, as they often point to several networks. Sometimes groups of entire countries.


If you're goal is to restrict access to your local town, region, etc, you might want to call the ISP and ask if they have a single local subnetwork and netmask you can use.

Steve
Ok, I think I'm figuring it all out (well, maybe not all but hopefully enough to get by )

This is among Sweden's top ten IPS so it's probably more or less their entire network range. My friend IP is A.B.C.D. If I'd go for something like A.B.C.0/17 that would entail some 32000 hosts plus change, right? A bit slimmer than doing the entire A.B.0.0/13, which I've gathered is 8 full class B networks. But would A.B.C.0/17 necessarily include my friends dynamic IP when it changes? I.e. how likely is the C part of the IP to remain the same after he's been re-assigned a new IP?

Thanks for the help, it means a lot.
/CZ
 
Old 04-22-2009, 05:06 PM   #14
Suncoast
Member
 
Registered: Apr 2009
Location: Largo, Florida
Distribution: Slackware
Posts: 202

Rep: Reputation: 35
You're right about the hosts. 2^15=32,768(-2).

On your subnet mask, C would likely get mangled unless it is a low number. The ISP is not likely to change the "C" octet by much. If no information is coming from the ISP, the trick is to get your subnet ID as close as possible by guessing. Hopefully, the following will explain which numbers to use. Pick how large a block you want, then finish that section until the IP address you have is in range. Of course, replace the x.x with the first two octets of the IP address.

Warning. You just have to stare at this for a minute, thinking number patterns, and it suddenly makes sense.

If netmask of /17 (255.255.128.0)
x.x.0.0 to x.x.127.255 would be x.x.0.0/17
x.x.128.0 to x.x.255.255 would be x.x.128.0/17
(Complete)

If netmask of /18 (255.255.192.0) (16,384 hosts each)
x.x.0.0 to x.x.63.255 would be x.x.0.0/18
x.x.64.0 to x.x.127.255 would be x.x.64.0/18
x.x.128.0 to x.x.191.255 would be x.x.128.0/18
x.x.192.0 to x.x.255.255 would be x.x.192.0/18
(Complete)

if /19 (255.255.224.0) (8,192 hosts each)
x.x.0.0 to x.x.31.255 would be x.x.0.0/19
x.x.32.0 to x.x.63.255 would be x.x.32.0/19
And so on, increment each line by 32.

if /20 (255.255.240.0)(4,096 hosts each)
x.x.0.0 to x.x.15.255 would be x.x.0.0/20
x.x.16.0 to x.x.31.255 would be x.x.16.0/20
And so on increment each line by 16.

So if your 3rd octet (C) was 34, you would use either
x.x.0.0/17 or
x.x.0.0/18 or
x.x.32.0/19 or
x.x.32.0/20
 
Old 04-23-2009, 03:27 PM   #15
Count Zero
Member
 
Registered: Feb 2008
Distribution: Debian wheezy
Posts: 130

Rep: Reputation: 15
Yes, it does take some staring, sort of like those 3D pictures that was popular a couple of years ago but I DO see the logic in it. It's quite beautiful once one see the rationality of it.

Restricting it to 8192 hosts should be good, the third octet on his current IP would then be about in the middle of the range it encompasses and hopefully that'll do the trick when it changes.


Suncoast, you have been to a tremendous help and I've learned a lot. Thanks!

/CZ
 
  


Reply

Tags
anonymous, ftp, host, ip, proftp, subnet, user


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
when I use ftp://user@ftp.blah.com it works. But when I type just ftp.blah.com says.. hunterhunter Linux - General 15 03-05-2014 09:12 AM
anonymous ftp to a specific directory - how? kpachopoulos Linux - General 1 07-22-2005 01:57 PM
files uploaded to anonymous ftp not readable by anonymous TheOneAndOnlySM Linux - Software 2 11-04-2004 07:42 AM
how to establish ftp server with proftp to allow anonymous user login icoming Linux - Networking 3 10-12-2004 10:38 AM
Anonymous FTP Balitmoreboy Linux - Security 1 05-02-2001 06:19 AM


All times are GMT -5. The time now is 02:27 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration