LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)
-   -   Can I disable reverse lookups in vsftpd? (https://www.linuxquestions.org/questions/linux-server-73/can-i-disable-reverse-lookups-in-vsftpd-627009/)

witch_doctor 03-10-2008 12:04 PM
Can I disable reverse lookups in vsftpd?
 
Hi all,
I'm using Fedora 8 in a machine at work and I have set up a vsftpd server. I need to limit access to it to only a few clients which I have put in my hosts.allow file. One of them is a client having a dynamic IP from an ISP, so he uses dynamic DNS to map his IP to his hostname every time.
vsftpd does a reverse lookup which of course fails, and denies access. Is there any way to disable r-lookups either in vsftpd or in xinetd to remedy this?

thanks.

trickykid 03-10-2008 12:33 PM
What do your logs indicated? I never heard or know of an option in vsftpd that denies access due to reverse dns lookups. I would believe the issue is something else and not due to a dynamic IP.

witch_doctor 03-10-2008 11:59 PM
Mar 11 06:48:15 myserver xinetd[4719]: START: ftp pid=4721 from=11.22.33.44
Mar 11 06:48:15 myserver xinetd[4721]: libwrap refused connection to ftp (libwrap=vsftpd) from 11.22.33.44
Mar 11 06:48:15 myserver xinetd[4721]: FAIL: ftp libwrap from=11.22.33.44
Mar 11 06:48:15 myserver xinetd[4719]: EXIT: ftp status=0 pid=4721 duration=0(sec)

I believe this is a rererse lookup failure. When I dig the client hostname from the server I get the right IP (in my example 11.22.33.44). But when I reverse the dig (dig -x 11.22.33.44) I get the hostname of the client's ISP, which is logical. libwrap fools vsftpd into balieving this is a spoofed hostname, and so rejects the connection.
When I put the IP 11.22.33.44 into hosts.allow, vsftpd accepts the connection.


Just to clarify: When I said "dynamic IP" in my first post I did not mean "private (eg 192.168.x.x), I meant it as an address allocated dynamically by the ISP each time the client's computer boots. The address is public, it just isn't the same accross boots.

witch_doctor 03-11-2008 12:11 AM
I think I solved it. I just put the hostname that came up from the reverse lookup in hosts.allow and it works! I think this is the hostname given to the clients rooter by the ISP, so it is static to his account. If so, problem solved.

witch_doctor 03-11-2008 02:36 PM
Nope... The hostname is not static either, which makes sense. I wish there was some option as there is in proftpd to disable reverse lookups.

trickykid 03-11-2008 02:58 PM
Well, libwrap ties in with TCPWrapper which is probably blocking these users since you're using the hosts.allow and probably the host.deny.

Are you trying to limit the connections to the hosts with anonymous logins? Why not create actual accounts and drop the wrappers with trying to deny or allow access. Or just setup a good iptables firewall rules for the hosts you want to have access to ftp.

witch_doctor 03-12-2008 12:28 AM
Yes, I'll probably follow one of the alternatives you propose. This is just a temporary ftp server, I wanted it to have as simple a configuration as possible and not affect the rest of the system. Thanks for your answers anyway!

linuxquestions_forum_use 12-19-2010 02:15 PM
To turn off reverse DNS on my vsftpd server, I added this to the .conf file:

reverse_lookup_enable=NO

It got rid of the slow 20 or 30 second ftp login I was getting before.


All times are GMT -5. The time now is 09:13 PM.