Host Access Control not working for FTP

monkey64

Well-Known Member
Nov 6, 2011
103
4
68
cPanel Access Level
Root Administrator
I am the only user who accesses the server either by FTP or SSH.
My goal is to limit FTP access to the 2 IP's I ever use to access the server.

I successfully limited SSH access using
Main => Security Center => Host Access Control.

But, for some reason it won't work for FTP?

I removed my SSH rules and started from scratch.
This is what I have tried:

Daemon - ftp
Access List - ALL
Action - deny

After restarting ftpd, I can still FTP in on any IP.
Any ideas?
 

monkey64

Well-Known Member
Nov 6, 2011
103
4
68
cPanel Access Level
Root Administrator
Thanks for the link and yes I am using Pure-FTPD.

What you describe indicates a problem with the OpenSSH rpm from your Operating System vendor. You can attempt to re-install this rpm to resolve the issue, or open a support request at https://tickets.cpanel.net/submit/
The above seems to be the solution, but I'm not sure I want to re-install the rpm.

I have tried various methods to deny access in /etc/proftp.conf, without success:
This method used to work in the past...

Code:
<Limit LOGIN>
Order deny,allow
Deny from 10.1.1.
Allow from all
</Limit>
There must be an easier way...
 

monkey64

Well-Known Member
Nov 6, 2011
103
4
68
cPanel Access Level
Root Administrator
Tried switching FTP server to it with ProFTPd, which as the post says, supports TCP Wrapper.
Host Access Control has still has no effect on FTP connections.

This really doesn't feel very secure...
 

monkey64

Well-Known Member
Nov 6, 2011
103
4
68
cPanel Access Level
Root Administrator
Here's some feedback after I submitted the ticket and those excellent CPanel guys got things working:

The following needs to be added at the top of etc/proftpd.conf, after the ServerName section:

Code:
TCPAccessFiles /etc/hosts.allow /etc/hosts.deny
TCPServiceName ftp
# TCPAccessSyslogLevels debug warn
AND for each Virtual Host.

That's it. Now Host Access Control works as it should.
 

cPanelKeithS

Active Member
Staff member
Oct 14, 2008
32
1
133
Here's some feedback after I submitted the ticket and those excellent CPanel guys got things working:

The following needs to be added at the top of etc/proftpd.conf, after the ServerName section:

Code:
TCPAccessFiles /etc/hosts.allow /etc/hosts.deny
TCPServiceName ftp
# TCPAccessSyslogLevels debug warn
AND for each Virtual Host.

That's it. Now Host Access Control works as it should.
Example VirtualHost for additional IPs
Code:
<VirtualHost 192.168.0.22>
  ServerName ftp.example.tld
  AuthUserFile /etc/proftpd/example
  MaxClients 3 "Sorry, this ftp server has reached its maximum user count (%m).  Please try again later"
  DirFakeGroup On ftpgroup
  DirFakeUser On ftpuser
  DefaultRoot ~

 TCPAccessFiles /etc/hosts.allow /etc/hosts.deny
 TCPServiceName ftp
[truncated]
Note: Proftpd should add the VirtualHost container for the additional IPs. The two additional directives for access control just need to be added inside of the VirtualHost
 
  • Like
Reactions: Infopro