LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
LinkBack Search this Thread
Old 02-12-2014, 03:50 PM   #1
hgill
LQ Newbie
 
Registered: Feb 2014
Posts: 7
Blog Entries: 1

Rep: Reputation: Disabled
Unhappy How to restrict FTP and SMB access to computers on the internal network.


I have just installed ftp and Smb smbclient
I am building a server on raspberry pi And I am new to this subject area.
How can I restrict FTP and SMB access to computers on the internal network only. I do not want external network access.
What do I edit in smb.conf and vsftpd.conf to achieve this
 
Old 02-12-2014, 03:54 PM   #2
gengisdave
Member
 
Registered: Dec 2013
Location: Turin, Italy
Distribution: slackware
Posts: 193

Rep: Reputation: 44
How to restrict FTP and SMB access to computers on the internal network.

smb.conf has the host allow rule; same with vsftpd but i don't remember which command
 
Old 02-12-2014, 04:00 PM   #3
hgill
LQ Newbie
 
Registered: Feb 2014
Posts: 7
Blog Entries: 1

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by gengisdave View Post
smb.conf has the host allow rule; same with vsftpd but i don't remember which command
Please try to remember,
don't I need to do something with [global] in smb.conf, I don't know about ftp one.
All I want is ftp and smb access just on the internal networks, not external
 
Old 02-12-2014, 04:39 PM   #4
gengisdave
Member
 
Registered: Dec 2013
Location: Turin, Italy
Distribution: slackware
Posts: 193

Rep: Reputation: 44
Code:
[global]
  hosts allow = 127.0.0.1 192.168.1.0/24
http://www.samba.org/samba/docs/server_security.html

for vsftp, set
Code:
tcp_wrappers=YES
in vsftps.conf,
Code:
vsftpd: 192.168.1.
in /etc/hosts.allow and
Code:
vsftpd: ALL
in /etc/hosts.deny

Last edited by gengisdave; 02-12-2014 at 04:43 PM.
 
Old 02-12-2014, 04:49 PM   #5
hgill
LQ Newbie
 
Registered: Feb 2014
Posts: 7
Blog Entries: 1

Original Poster
Rep: Reputation: Disabled
Question

Quote:
Originally Posted by gengisdave View Post
Code:
[global]
  hosts allow = 127.0.0.1 192.168.1.0/24
http://www.samba.org/samba/docs/server_security.html

for vsftp, set
Code:
tcp_wrappers=YES
in vsftps.conf,
Code:
vsftpd: 192.168.1.
in /etc/hosts.allow and
Code:
vsftpd: ALL
in /etc/hosts.deny
With samba: will that allow network access on all the internal computers??
Secondly, with ftp,host allows All : wouldn't this allow all users, I only want internal access
 
Old 02-12-2014, 05:17 PM   #6
gengisdave
Member
 
Registered: Dec 2013
Location: Turin, Italy
Distribution: slackware
Posts: 193

Rep: Reputation: 44
in both cases allow connection from 192.168.1.* IPs only, change it with your network config; vsftpd:ALL is for hosts.deny, i wrote it in a bad way, sorry
 
Old 02-17-2014, 03:14 AM   #7
hgill
LQ Newbie
 
Registered: Feb 2014
Posts: 7
Blog Entries: 1

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by gengisdave View Post
in both cases allow connection from 192.168.1.* IPs only, change it with your network config; vsftpd:ALL is for hosts.deny, i wrote it in a bad way, sorry
This did not work
It still allows me to log in from external network for FTP
 
Old 02-17-2014, 03:21 AM   #8
pan64
Senior Member
 
Registered: Mar 2012
Location: Hungary
Distribution: debian i686 (solaris)
Posts: 4,000

Rep: Reputation: 1003Reputation: 1003Reputation: 1003Reputation: 1003Reputation: 1003Reputation: 1003Reputation: 1003Reputation: 1003
how can you reach it at all from external network? do you have a router? you can block such kind of traffic there too.
 
Old 02-17-2014, 09:31 AM   #9
psycroptic
Member
 
Registered: Aug 2011
Location: USA
Distribution: ArchLinux - 3.0 kernel
Posts: 230

Rep: Reputation: Disabled
is this "external network" the internet? surely you're not running these services exposed to the external WAN? i'm also assuming that you restarted vsftpd and smbd after you changed their configs?

you should look into iptables, if you find that the built-in methods of restricting access to your services doesn't meet your needs.

as well, for samba, i believe you also need to add this to smb.conf, directly after what gengisdave gave you:

Code:
hosts deny = 0.0.0.0/0
 
Old 02-17-2014, 10:07 AM   #10
TenTenths
Senior Member
 
Registered: Aug 2011
Location: Dublin
Distribution: Centos 5 / 6
Posts: 1,244

Rep: Reputation: 394Reputation: 394Reputation: 394Reputation: 394
Quote:
Originally Posted by hgill View Post
This did not work
It still allows me to log in from external network for FTP
Sounds like you've port forwarding for FTP enabled on your router and have it pointed at your server. If you do this on the router then the server will see the connection coming from the LAN interface of the router and not as an external IP. This is standard router NAT functionality if you enable port forwarding. Ensure you have NO ftp port forwarding on our router.

Last edited by TenTenths; 02-17-2014 at 10:12 AM. Reason: Clarification around NAT
 
Old 03-01-2014, 07:22 AM   #11
hgill
LQ Newbie
 
Registered: Feb 2014
Posts: 7
Blog Entries: 1

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by TenTenths View Post
Sounds like you've port forwarding for FTP enabled on your router and have it pointed at your server. If you do this on the router then the server will see the connection coming from the LAN interface of the router and not as an external IP. This is standard router NAT functionality if you enable port forwarding. Ensure you have NO ftp port forwarding on our router.
So would that keep to only internal networks. Is there anything that needs to be done in ftp.conf file?
 
Old 03-01-2014, 07:57 AM   #12
TenTenths
Senior Member
 
Registered: Aug 2011
Location: Dublin
Distribution: Centos 5 / 6
Posts: 1,244

Rep: Reputation: 394Reputation: 394Reputation: 394Reputation: 394
If your router is NOT port forwarding you shouldn't have to make any changes to your server.
 
Old 03-01-2014, 08:25 AM   #13
hgill
LQ Newbie
 
Registered: Feb 2014
Posts: 7
Blog Entries: 1

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by TenTenths View Post
If your router is NOT port forwarding you shouldn't have to make any changes to your server.
My router is port forwarding as it needs to for other purposes. That is the main reason I want to restrict FTP use only on internal networks
 
Old 03-02-2014, 12:20 AM   #14
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.5
Posts: 16,086

Rep: Reputation: 1995Reputation: 1995Reputation: 1995Reputation: 1995Reputation: 1995Reputation: 1995Reputation: 1995Reputation: 1995Reputation: 1995Reputation: 1995Reputation: 1995
You need to restrict router port forwarding carefully; as above, it makes it look like an internal cxn to the servers you're trying to protect.
You need to deny access from the internal port of the router.
 
Old 03-02-2014, 02:00 PM   #15
hgill
LQ Newbie
 
Registered: Feb 2014
Posts: 7
Blog Entries: 1

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by chrism01 View Post
You need to restrict router port forwarding carefully; as above, it makes it look like an internal cxn to the servers you're trying to protect.
You need to deny access from the internal port of the router.
How would I do that
At the moment I have this in my smb.cnf and vsftpd.cnf
Quote:
in vsftpd.conf
tcp_wrappers=YES
in host allow
vsftpd: 192.168.1.
in host.deny
vsftpd: ALL
Listen address: 127.0.0.1
SMB:
[global]
hosts allow = 127.0.0.1 192.168.1.0/24
Samba bind interfaces yes
Bind interface: 127.0.0.1
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Restrict SMB access for a particular domain blue_print Linux - Server 2 09-14-2010 05:23 AM
Cannot ping/access internal LAN computers AndrewTheArt Linux - Networking 2 11-19-2007 06:25 PM
How to set up network permissions for user accounts. Restrict network access. r00tb33r Linux - Networking 7 02-04-2007 09:10 PM
is there a way to restrict users download speed on internal network? NuLLiFiEd Linux - Networking 3 10-06-2005 05:24 AM
can you restrict ftp USER access to certain ips? linuxboy69 Linux - Software 2 02-26-2004 04:05 PM


All times are GMT -5. The time now is 11:19 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration