Anonymous FTP for all, user FTP logins only for specific IP ranges
Hello,
Is there a way to enable anonymous FTP access for everyone, yet restrict user logins to specific IP ranges? Preferably even on a per-user basis. For example:
My apologies in advance if this is really obvious. Thanks, Jorrit |
Personally, I find giving FTP access to user account a security risk.
To your question, I am not aware of a solution. However, you can use proftpd with mysql and setup specific FTP accounts. You will have to enable mysql when compiling proftd. You can then jail the required user to a specific directory. Not exactly what you're looking for, but that might help. Just thought of this will I was typing. You can also create multiple profile in your proftd config file with different ports. Then use your firewall to restrict access to specific IP on your user port (say 21 for anonymous and 2100 for authorized users). You will have to inform your authorized users to use the specified port when connecting. |
Quote:
Quote:
Quote:
Still... if someone knows a 'perfect' solution or can confirm it's just not possible, please let me know :-) Greets, Jorrit |
I prefer pure-ftpd myself and it can do what you want.. well it can restrict each account to one IP address an also supports quotas and bandwidth restrictions.
|
Quote:
Code:
<Class friends> Jorrit |
Hi,
I tried this solution and it works just fine when I state a full IP address. However, I'd like to restrict login to a range, thus using wildcards in the restriction. I tried it like so: Code:
<Class USER-IP> Thanks! /CZ |
Have you tried shifting the mask?
Ex: From !1.2.3.0/24 |
You do know the ! means NOT from.
So "From 1.2.3.0/24" would specify IP's 1.2.3.0 to 1.2.3.255. And "From !1.2.3.0/24" would specify everything EXCEPT 1.2.3.0 to 1.2.3.255. |
Quote:
Anyway, no, I haven't tried to shift the mask because I might want to restrict it to the last two series of digits (i.e. 1.2.*.*). However, I'll give it a go for the ones where I only need a wildcard on the last series of digit and post back my findings. Thanks /CZ EDIT: Specifying a range using 1.2.3.0/24 seems to work. I'll see if I can work something out out for specifying range for 1.2.*.*. /Thanks! |
You're not limited to classful networks. So if you wanted 172.16.128.0 to 172.16.255.255, you would use 172.16.128.0/17. Or say you only wanted to allow everyone from your local cable company, you can do a whois lookup to see what their netblock is and permit that entire block. For example;
Code:
$ whois 209.216.72.18 |
Thanks for the reply Suncoast.
I did some reading up and learned a few things about CIDR (up from zero knowledge so that didn't take much) and I think I got a hang of how CIDR works when assigning/dividing ranges of IP addresses. However, when I do a whois on a computer I want to add (or at least one with a very similar IP) I get this: Code:
% This is the RIPE Whois query server #2. Is it the route that I should use to allow the entire netblock? Thanks! /CZ |
That route will work, but understand that is a very large network block. Over 1/2 Million hosts. I did poke around and that entire block does seem to be assigned to the same ISP.
Using default routes will not always work, as they often point to several networks. Sometimes groups of entire countries. If you're goal is to restrict access to your local town, region, etc, you might want to call the ISP and ask if they have a single local subnetwork and netmask you can use. Steve |
Quote:
This is among Sweden's top ten IPS so it's probably more or less their entire network range. My friend IP is A.B.C.D. If I'd go for something like A.B.C.0/17 that would entail some 32000 hosts plus change, right? A bit slimmer than doing the entire A.B.0.0/13, which I've gathered is 8 full class B networks. But would A.B.C.0/17 necessarily include my friends dynamic IP when it changes? I.e. how likely is the C part of the IP to remain the same after he's been re-assigned a new IP? Thanks for the help, it means a lot. /CZ |
You're right about the hosts. 2^15=32,768(-2).
On your subnet mask, C would likely get mangled unless it is a low number. The ISP is not likely to change the "C" octet by much. If no information is coming from the ISP, the trick is to get your subnet ID as close as possible by guessing. Hopefully, the following will explain which numbers to use. Pick how large a block you want, then finish that section until the IP address you have is in range. Of course, replace the x.x with the first two octets of the IP address. Warning. You just have to stare at this for a minute, thinking number patterns, and it suddenly makes sense. If netmask of /17 (255.255.128.0) x.x.0.0 to x.x.127.255 would be x.x.0.0/17 x.x.128.0 to x.x.255.255 would be x.x.128.0/17 (Complete) If netmask of /18 (255.255.192.0) (16,384 hosts each) x.x.0.0 to x.x.63.255 would be x.x.0.0/18 x.x.64.0 to x.x.127.255 would be x.x.64.0/18 x.x.128.0 to x.x.191.255 would be x.x.128.0/18 x.x.192.0 to x.x.255.255 would be x.x.192.0/18 (Complete) if /19 (255.255.224.0) (8,192 hosts each) x.x.0.0 to x.x.31.255 would be x.x.0.0/19 x.x.32.0 to x.x.63.255 would be x.x.32.0/19 And so on, increment each line by 32. if /20 (255.255.240.0)(4,096 hosts each) x.x.0.0 to x.x.15.255 would be x.x.0.0/20 x.x.16.0 to x.x.31.255 would be x.x.16.0/20 And so on increment each line by 16. So if your 3rd octet (C) was 34, you would use either x.x.0.0/17 or x.x.0.0/18 or x.x.32.0/19 or x.x.32.0/20 |
Yes, it does take some staring, sort of like those 3D pictures that was popular a couple of years ago but I DO see the logic in it. It's quite beautiful once one see the rationality of it.
Restricting it to 8192 hosts should be good, the third octet on his current IP would then be about in the middle of the range it encompasses and hopefully that'll do the trick when it changes. Suncoast, you have been to a tremendous help and I've learned a lot. Thanks! /CZ |
Glad I could help. I enjoyed the exercise. And IPV4 subnetting is truly elegant. I will miss it when IPV6 takes over.
Steve |
All times are GMT -5. The time now is 08:16 PM. |