The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Restrict FTP Access

Discussion in 'Security' started by BuffaloWeb, Feb 23, 2010.

  1. BuffaloWeb

    BuffaloWeb Well-Known Member

    Joined:
    Jul 1, 2003
    Messages:
    83
    Likes Received:
    0
    Trophy Points:
    6
    How can I deny FTP access for all Is except my own?

    I've tried hosts.deny/hosts.allow

    in hosts.deny

    PURE-FTP: ALL :DENY
    PURE-FTPD: ALL :DENY
    FTP: ALL :DENY
    FTPD: ALL :DENY

    in hosts.allow

    ALL: (my.ip.number)




    I've also tried:
    iptables -A INPUT -p tcp --dport 21 -s (my.ip.number) -j ACCEPT
    iptables -A INPUT -p tcp --dport 21 -j DROP




    I also have csf/lfd installed but do not see a way to do this through there...



    Anyone?
     
  2. sawbuck

    sawbuck Well-Known Member

    Joined:
    Jan 18, 2004
    Messages:
    1,367
    Likes Received:
    5
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
  3. BuffaloWeb

    BuffaloWeb Well-Known Member

    Joined:
    Jul 1, 2003
    Messages:
    83
    Likes Received:
    0
    Trophy Points:
    6
    thanks, but exactly where do i remove port 21 in CSF? :)
    (Also port 20, I assume? )
     
  4. sawbuck

    sawbuck Well-Known Member

    Joined:
    Jan 18, 2004
    Messages:
    1,367
    Likes Received:
    5
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    Directly under the Upgrade section in the CSF gui you'll see a "Firewall Configuration" option.

    Yes to 20, had forgotten about that.
     
  5. BuffaloWeb

    BuffaloWeb Well-Known Member

    Joined:
    Jul 1, 2003
    Messages:
    83
    Likes Received:
    0
    Trophy Points:
    6
    yep, just figured that out, thanks!

    For anyone reading this in the future, this works like a charm. My case is that the server is dedicated and I wanted to restrict FTP access to my IP alone. Go to CSF/Firewall Configuration, find occurrences of "20,21" - there should be four:

    TCP_IN
    TCP_OUT
    UDP_IN
    UDP_OUT

    remove 20,21 from those strings. Just make sure to add your own "good" IP to "Firewall Allow IPs"!
     
  6. furquan

    furquan Well-Known Member

    Joined:
    Jul 27, 2002
    Messages:
    425
    Likes Received:
    0
    Trophy Points:
    16
    my apologies to bump up this old thread, but i have a similar situation with a twist :

    I have a shared server and i need to restrict one particular domain to that users dedicated ip.

    So that no one can ftp to that domain from any where else besides his own ip.

    Please assist .

    Thank you
     
  7. sawbuck

    sawbuck Well-Known Member

    Joined:
    Jan 18, 2004
    Messages:
    1,367
    Likes Received:
    5
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    Not exactly what you are asking for (although it may be possible), if you have removed ports 20 and 21 as shown above you can add the following directive to csf.allow:

    tcp:in:d=21:s="IP address"

    This will allow ftp for that IP to the server but not restricted to a specific domain.
     
  8. furquan

    furquan Well-Known Member

    Joined:
    Jul 27, 2002
    Messages:
    425
    Likes Received:
    0
    Trophy Points:
    16
    But since this is a shared server i dont want any of the other customers to get affected by this change...ONLY this user should be able to FTP to his domain from his specific ip address.

    Rest should all be normal for all the customers on the server.

    Thank you
     
  9. Lyttek

    Lyttek Well-Known Member

    Joined:
    Jan 2, 2004
    Messages:
    770
    Likes Received:
    3
    Trophy Points:
    18
    I assume you're using non-anonymous FTP accounts? If the user doesn't have access via ftp accounts, what does it matter if they can attempt to connect (and fail)?

    Just trying to understand the issue we're trying to address :)
     
  10. furquan

    furquan Well-Known Member

    Joined:
    Jul 27, 2002
    Messages:
    425
    Likes Received:
    0
    Trophy Points:
    16
    The user does exist on the domain and that is the reason we want to restrict him to his particular ip and deny from every where else.

    In simple, restrict a particular user to his domain only via his static ip, so that that domain is not accessible via ftp from any where else.
     
  11. Miraenda

    Miraenda Well-Known Member

    Joined:
    Jul 28, 2004
    Messages:
    242
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Coralville, Iowa USA
    The only way that I'm aware of how to easily do this is iptables directly:

    Code:
    /sbin/iptables -I INPUT -d serverdedIP# -p tcp -m tcp --dport 21 -j DROP
    /sbin/iptables -I INPUT -s customerIP# -d serverdedIP# -p tcp -m tcp --dport 21 -j ACCEPT
    Replace customerIP# with the IP for the customer's local IP he'll be connecting with to the FTP service. Replace serverdedIP# with the server's dedicated IP for the FTP site on the machine.

    For the above to explain what is being done, here is what each rule means:

    Rule 1:
    /sbin/iptables ==> put into iptables
    -I ==> an insert rule at the top of the chain
    INPUT ==> the INPUT or incoming chain filter
    -d serverdedIP# ==> for the destination IP
    -p tcp -m tcp ==> on TCP
    --dport 21 ==> destination port 21 for FTP
    -j DROP ==> jump to the DROP state

    Rule 2:
    /sbin/iptables ==> put into iptables
    -I ==> an insert rule at the top of the chain
    INPUT ==> the INPUT or incoming chain filter
    -s customerIP# ==> for the source IP (originating IP)
    -d serverdedIP# ==> for the destination IP
    -p tcp -m tcp ==> on TCP
    --dport 21 ==> destination port 21 for FTP
    -j ACCEPT ==> jump to the ACCEPT (allow) state

    Now, the reason I have two insert rules for your INPUT chain is that I have no idea if you forward the INPUT chain in another rule to another table (CSF does this as do the default RedHat servers), so in order to offset any possible forwarding to another chain from INPUT after the first line, I had to force these rules into that chain before a possible forward. To do that, I used -I which puts the rules I have at the top. To ensure that the one IP is whitelisted for the customer connecting, I put that rule second, since it will insert at the top after the DROP rule based on the order I'm having them entered. Please ensure that the DROP rule is added first and the ACCEPT second in this situation. If the DROP is done second, then you'll block everyone on that IP for FTP services.

    Once you've done the rules and checked it works, you can save the rules so they'll stick on server reboot:

    Code:
    service iptables save
    I did test these rules on a machine of mine and it worked properly to restrict FTP access from every other IP besides my local computer:

    My local system (the IP I had whitelisted in the firewall) connecting to my dedicated IP for FTP
    Code:
    $ ftp 67.210.103.23
    Connected to 67.210.103.23.
    220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
    220-You are user number 2 of 50 allowed.
    220-Local time is now 05:49. Server port: 21.
    220-IPv6 connections are also welcome on this server.
    220 You will be disconnected after 15 minutes of inactivity.
    Two of my test machines that weren't whitelisted to connect to that dedicated IP for FTP
    Code:
    [root@scratchy:~] # ftp 67.210.103.23
    ftp: connect: Connection timed out
    Code:
    [root@itchy:~] # ftp 67.210.103.23
    ftp: connect: Connection timed out
    One other point I wanted to cover since the original thread opener mentioned it, the service listed for WHM > Host Access Control (which controls /etc/hosts.allow file) is not PURE-FTPD nor pure-ftpd but ftp only. If you start typing in WHM > Host Access Control the letters ft, then you'll see it provide the suggestion to use ftp for the service's name. To block all access to all FTP on a machine using Host Access Control for all IPs but select ones, it would be the following:

    Code:
    Daemon     Access List   Action  	   	Comment
    ftp        MyIP#	 allow 	
    ftp        ALL           deny
     
    #11 Miraenda, Aug 6, 2010
    Last edited: Aug 6, 2010
  12. furquan

    furquan Well-Known Member

    Joined:
    Jul 27, 2002
    Messages:
    425
    Likes Received:
    0
    Trophy Points:
    16
    Miraenda :

    Thank you very very much for your detailed response, but i still have one question, your code :-

    Code:
    ---------
    /sbin/iptables -I INPUT -d serverdedIP# -p tcp -m tcp --dport 21 -j DROP
    /sbin/iptables -I INPUT -s customerIP# -d serverdedIP# -p tcp -m tcp --dport 21 -j ACCEPT
    ---------

    It does not mention my main concern, one particular domain name that i want to restrict FTP to.

    This restriction should apply to one particular domain on the shared server.

    am i missing something ?
     
  13. Miraenda

    Miraenda Well-Known Member

    Joined:
    Jul 28, 2004
    Messages:
    242
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Coralville, Iowa USA
    I had thought you had a dedicated IP on that domain from your original reply:

    I see now you meant the customer's IP on their local PC is dedicated not that the account on your machine has a dedicated IP.

    If you do not have a dedicated IP on the domain, then what you want to do is not going to be possible. You will need to put that domain on a dedicated IP for this to work.

    There's no way to restrict by domain name in iptables as far as I'm aware properly when multiple hosts are on the same IP (iptables will change any domains into the DNS A record the domain has and thereby basically block the shared IP), so you have to restrict by IP. If you have the domain on a dedicated IP, then you can restrict it and the restriction won't impact any other accounts on the machine on any other IPs (shared IP or other dedicated IPs). If you don't have the domain on a dedicated IP, nothing that I know of will work to easily perform this task.
     
    #13 Miraenda, Aug 6, 2010
    Last edited: Aug 6, 2010
  14. furquan

    furquan Well-Known Member

    Joined:
    Jul 27, 2002
    Messages:
    425
    Likes Received:
    0
    Trophy Points:
    16
    Yes Miraenda :


    The user has a dedicated ip on his end but the account is on a shared server, and i need to restrict that domain to only be accessible via that IP and from no where else.

    But i highly appreciate your assistance on this.

    Thank you very much for your response
     
  15. Lyttek

    Lyttek Well-Known Member

    Joined:
    Jan 2, 2004
    Messages:
    770
    Likes Received:
    3
    Trophy Points:
    18
    What Miraenda is saying is that on the shared server, the account in question needs to be on a dedicated IP... so that this single site uses the dedicated IP, not the shared IP.
     
  16. furquan

    furquan Well-Known Member

    Joined:
    Jul 27, 2002
    Messages:
    425
    Likes Received:
    0
    Trophy Points:
    16
    Thank you so much for clarifying that :)
     
  17. furquan

    furquan Well-Known Member

    Joined:
    Jul 27, 2002
    Messages:
    425
    Likes Received:
    0
    Trophy Points:
    16
    Hell once again :D

    I found this thread on WHT, limit access to a file (or folder) to only 2 IP's - Web Hosting Talk
    and it says, we can restrict folder access to any specific ip address.


    Do think this will work ?
     
  18. Miraenda

    Miraenda Well-Known Member

    Joined:
    Jul 28, 2004
    Messages:
    242
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Coralville, Iowa USA
    This will not work as that's for Apache not for FTP. The access they are talking about is in a browser for Apache access (http). This is why such an access deny wasn't suggested as you are asking for FTP restriction not for Apache restriction.
     
  19. sirdopes

    sirdopes Well-Known Member
    PartnerNOC

    Joined:
    Sep 25, 2007
    Messages:
    141
    Likes Received:
    0
    Trophy Points:
    16
    It is not possible on a shared server. Even if they have a dedicated IP on your shared server and you block all access to the dedicated IP except from your customers ip address, anyone can still connect on the shared IP. You would need to setup a custom ftp server that just runs on their dedicated ip address and just allows logins for their user. Then disable ftp access on the shared ftp server.
     
Loading...

Share This Page