How to restrict FTP access to particular IP?

hustla66

Registered
Mar 4, 2013
3
0
1
cPanel Access Level
Root Administrator
Hello,

I am administrating a server running WHM/cPanel on root level. I would like to know how to properly restrict FTP access to limited amount of IPs and deny all others? I have restricted WHM, SSH and CP areas with Host Access Control but this will not work for proper FTP restricting.

I believe this is done trough SSH and iptable rules. Please give me examples and solutions for this!

Your help is much appreciated!
 

hustla66

Registered
Mar 4, 2013
3
0
1
cPanel Access Level
Root Administrator
I am familiar with it's interface and used it for a couple of times to whitelist some IPs trough firewall. I have also reviewed the iptable rules trough the interface there, but don't know how to do restrict particular IPs for the port of FTP. Thanks
 

anton_latvia

Well-Known Member
PartnerNOC
May 11, 2004
380
10
168
Latvia
cPanel Access Level
Root Administrator
If you only want to allow several IPs to FTP, remove ports 20 and 21 from allowed incoming port list in CSF and then add those happy-IPs to the whitelisted list.
 

hustla66

Registered
Mar 4, 2013
3
0
1
cPanel Access Level
Root Administrator
If you only want to allow several IPs to FTP, remove ports 20 and 21 from allowed incoming port list in CSF and then add those happy-IPs to the whitelisted list.
Could you please instruct step by step? Where and how to remove these ports? Then whitelisting IPs is trough the Quick-Allow feature?
 

quietFinn

Well-Known Member
Feb 4, 2006
1,072
32
178
Finland
cPanel Access Level
Root Administrator
Could you please instruct step by step? Where and how to remove these ports? Then whitelisting IPs is trough the Quick-Allow feature?
You remove ports in WHM-> Plugins-> ConfigServer Security & Firewall-> Firewall Configuration-> TCP_IN
Remove ports 20 & 21 from the list, scroll down, click "Change" and then "Restart csf+lfd".

You allow specifict IPs to use FTP like this:
WHM-> Plugins-> ConfigServer Security & Firewall-> Firewall Allow IPs:
you add lines like this:
tcp|in|d=20_21|s=IP_ADDRESS_HERE

that allows connections from that IP to ports 20 & 21.

then click "Change" and "Restart csf+lfd".