Restrict FTP Access

[BuffaloWeb]

How can I deny FTP access for all Is except my own?

I've tried hosts.deny/hosts.allow

in hosts.deny

PURE-FTP: ALL ENY
PURE-FTPD: ALL ENY
FTP: ALL ENY
FTPD: ALL ENY

in hosts.allow

ALL: (my.ip.number)




I've also tried:
iptables -A INPUT -p tcp --dport 21 -s (my.ip.number) -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -j DROP




I also have csf/lfd installed but do not see a way to do this through there...



Anyone?

[sawbuck]

Using CSF, remove port 21 from the list of TCP ports and add your IP to csf.allow and csf.ignore.

Depending on how many accounts you are dealing with a more granular approach can be found here:
http://forums.cpanel.net/f5/new-acco...tml#post625469

[BuffaloWeb]

thanks, but exactly where do i remove port 21 in CSF?
(Also port 20, I assume? )

[sawbuck]

Directly under the Upgrade section in the CSF gui you'll see a "Firewall Configuration" option.

Yes to 20, had forgotten about that.

[BuffaloWeb]

yep, just figured that out, thanks!

For anyone reading this in the future, this works like a charm. My case is that the server is dedicated and I wanted to restrict FTP access to my IP alone. Go to CSF/Firewall Configuration, find occurrences of "20,21" - there should be four:

TCP_IN
TCP_OUT
UDP_IN
UDP_OUT

remove 20,21 from those strings. Just make sure to add your own "good" IP to "Firewall Allow IPs"!

[furquan]

my apologies to bump up this old thread, but i have a similar situation with a twist :

I have a shared server and i need to restrict one particular domain to that users dedicated ip.

So that no one can ftp to that domain from any where else besides his own ip.

Please assist .

Thank you

[sawbuck]

So that no one can ftp to that domain from any where else besides his own ip.

Not exactly what you are asking for (although it may be possible), if you have removed ports 20 and 21 as shown above you can add the following directive to csf.allow:

tcp:in:d=21:s="IP address"

This will allow ftp for that IP to the server but not restricted to a specific domain.

[furquan]

But since this is a shared server i dont want any of the other customers to get affected by this change...ONLY this user should be able to FTP to his domain from his specific ip address.

Rest should all be normal for all the customers on the server.

Thank you

[Lyttek]

I assume you're using non-anonymous FTP accounts? If the user doesn't have access via ftp accounts, what does it matter if they can attempt to connect (and fail)?

Just trying to understand the issue we're trying to address

[furquan]

I assume you're using non-anonymous FTP accounts? If the user doesn't have access via ftp accounts, what does it matter if they can attempt to connect (and fail)?

Just trying to understand the issue we're trying to address

The user does exist on the domain and that is the reason we want to restrict him to his particular ip and deny from every where else.

In simple, restrict a particular user to his domain only via his static ip, so that that domain is not accessible via ftp from any where else.

[Miraenda]

The only way that I'm aware of how to easily do this is iptables directly:

Code:

/sbin/iptables -I INPUT -d serverdedIP# -p tcp -m tcp --dport 21 -j DROP
/sbin/iptables -I INPUT -s customerIP# -d serverdedIP# -p tcp -m tcp --dport 21 -j ACCEPT

Replace customerIP# with the IP for the customer's local IP he'll be connecting with to the FTP service. Replace serverdedIP# with the server's dedicated IP for the FTP site on the machine.

For the above to explain what is being done, here is what each rule means:

Rule 1:
/sbin/iptables ==> put into iptables
-I ==> an insert rule at the top of the chain
INPUT ==> the INPUT or incoming chain filter
-d serverdedIP# ==> for the destination IP
-p tcp -m tcp ==> on TCP
--dport 21 ==> destination port 21 for FTP
-j DROP ==> jump to the DROP state

Rule 2:
/sbin/iptables ==> put into iptables
-I ==> an insert rule at the top of the chain
INPUT ==> the INPUT or incoming chain filter
-s customerIP# ==> for the source IP (originating IP)
-d serverdedIP# ==> for the destination IP
-p tcp -m tcp ==> on TCP
--dport 21 ==> destination port 21 for FTP
-j ACCEPT ==> jump to the ACCEPT (allow) state

Now, the reason I have two insert rules for your INPUT chain is that I have no idea if you forward the INPUT chain in another rule to another table (CSF does this as do the default RedHat servers), so in order to offset any possible forwarding to another chain from INPUT after the first line, I had to force these rules into that chain before a possible forward. To do that, I used -I which puts the rules I have at the top. To ensure that the one IP is whitelisted for the customer connecting, I put that rule second, since it will insert at the top after the DROP rule based on the order I'm having them entered. Please ensure that the DROP rule is added first and the ACCEPT second in this situation. If the DROP is done second, then you'll block everyone on that IP for FTP services.

Once you've done the rules and checked it works, you can save the rules so they'll stick on server reboot:

Code:

service iptables save

I did test these rules on a machine of mine and it worked properly to restrict FTP access from every other IP besides my local computer:

My local system (the IP I had whitelisted in the firewall) connecting to my dedicated IP for FTP

Code:

$ ftp 67.210.103.23
Connected to 67.210.103.23.
220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
220-You are user number 2 of 50 allowed.
220-Local time is now 05:49. Server port: 21.
220-IPv6 connections are also welcome on this server.
220 You will be disconnected after 15 minutes of inactivity.

Two of my test machines that weren't whitelisted to connect to that dedicated IP for FTP

Code:

[root@scratchy:~] # ftp 67.210.103.23
ftp: connect: Connection timed out

Code:

[root@itchy:~] # ftp 67.210.103.23
ftp: connect: Connection timed out

One other point I wanted to cover since the original thread opener mentioned it, the service listed for WHM > Host Access Control (which controls /etc/hosts.allow file) is not PURE-FTPD nor pure-ftpd but ftp only. If you start typing in WHM > Host Access Control the letters ft, then you'll see it provide the suggestion to use ftp for the service's name. To block all access to all FTP on a machine using Host Access Control for all IPs but select ones, it would be the following:

Code:

Daemon     Access List   Action  	   	Comment
ftp        MyIP#	 allow 	
ftp        ALL           deny

[furquan]

Miraenda :

Thank you very very much for your detailed response, but i still have one question, your code :-

Code:
---------
/sbin/iptables -I INPUT -d serverdedIP# -p tcp -m tcp --dport 21 -j DROP
/sbin/iptables -I INPUT -s customerIP# -d serverdedIP# -p tcp -m tcp --dport 21 -j ACCEPT
---------

It does not mention my main concern, one particular domain name that i want to restrict FTP to.

This restriction should apply to one particular domain on the shared server.

am i missing something ?

[Miraenda]

I had thought you had a dedicated IP on that domain from your original reply:

I have a shared server and i need to restrict one particular domain to that users dedicated ip.

I see now you meant the customer's IP on their local PC is dedicated not that the account on your machine has a dedicated IP.

If you do not have a dedicated IP on the domain, then what you want to do is not going to be possible. You will need to put that domain on a dedicated IP for this to work.

There's no way to restrict by domain name in iptables as far as I'm aware properly when multiple hosts are on the same IP (iptables will change any domains into the DNS A record the domain has and thereby basically block the shared IP), so you have to restrict by IP. If you have the domain on a dedicated IP, then you can restrict it and the restriction won't impact any other accounts on the machine on any other IPs (shared IP or other dedicated IPs). If you don't have the domain on a dedicated IP, nothing that I know of will work to easily perform this task.

[furquan]

Yes Miraenda :


The user has a dedicated ip on his end but the account is on a shared server, and i need to restrict that domain to only be accessible via that IP and from no where else.

But i highly appreciate your assistance on this.

Thank you very much for your response

[Lyttek]

What Miraenda is saying is that on the shared server, the account in question needs to be on a dedicated IP... so that this single site uses the dedicated IP, not the shared IP.