Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents
stylenone

Overview

ProFTPd© does not automatically reference /etc/hosts.allow or /etc/hosts.deny to restrict access to the FTP service. The purpose of this document is to provide an example of how to configure ProFTPd to utilize the Host Access Control feature from the command line to restrict access by IP address to FTP.

Warning
titleWarning

This document describes an unsupported workaround that is not guaranteed to work in the future.

  • After these steps are performed on a server, it is the system administrator's responsibility to manage and maintain the server's database software.
  • We recommend that only experienced system administrators attempt to perform these steps.
  • We are not responsible for any data loss that is caused by an attempt to perform these steps.

System Requirements:

To configure ProFTPd, you must have the following installed on your server:

  • ProFTPd version 1.3.3 or higher
  • mod_wrap

As the root user, run the following command to confirm that you have the correct version of ProFTPd and mod_wrap installed on your server:

 

Code Block
languagebash
proftpd -V | awk '/Version/ {print $0}; /mod_wrap/ {print "mod_wrap is installed"}'

The output will resemble the following:

Code Block
languagebash
linenumberstrue
root@testserver [~]# proftpd -V | awk '/Version/ {print $0}; /mod_wrap/ {print "mod_wrap is installed"}'
  Version: 1.3.5rc1 (devel)
mod_wrap is installed
root@testserver [~]#

Configuration instructions

To configure ProFTPd, perform the following steps as the root user:

Main IP address

  1. Open the /etc/proftpd.conf file with a text editor, add the following lines after the comments.

    Code Block
    languagebash
    linenumberstrue
    TCPAccessFiles /etc/hosts.allow /etc/hosts.deny
    TCPServiceName ftp
  2. Run the following command  to restart ProFTPd:

    Code Block
    languagebash
    /scripts/restartsrv_proftpd
    Warning
    titleWarning:

    You must specify both /etc/hosts.allow and /etc/hosts.deny or you will receive an error.

  3. Add deny rules and test. 

    Note titled
    Code Block
    languagebash
    linenumberstrue
    root@testserver [~]# ftp 10.1.1.1
    Connected to 10.1.1.1.
    220 ProFTPD 1.3.5rc1 Server (ProFTPD) [::ffff:10.1.1.1]
    Name (10.1.1.1:root): cptest
    331 Password required for cptest
    Password:
    530 Access denied
    ftp: Login failed
    ftp> quit
    221 Goodbye.

Additional IP addresses

Each Virtual Host that requires Access Control will need an entry in the file /etc/proftpd.conf. Add the following lines to each Virtual Host container.

Code Block
languagebash
linenumberstrue
TCPAccessFiles /etc/hosts.allow /etc/hosts.deny
TCPServiceName ftp

The following is an example of a VirtualHost container. 

Code Block
languagebash
linenumberstrue
<VirtualHost 10.1.1.1>
 ServerName ftp.testserver.tld
 AuthUserFile /etc/proftpd/wcraft
 MaxClients 3 "Sorry, this ftp server has reached its maximum user count (%m). Please try again later"
 DirFakeGroup On ftpgroup
 DirFakeUser On ftpuser
 DefaultRoot ~
TCPAccessFiles /etc/hosts.allow /etc/hosts.deny
 TCPServiceName ftp
[truncated]

Additional documentation

Localtab Group
Localtab
activetrue
titleSuggested documentation

Content by Label
showLabelsfalse
max5
showSpacefalse
cqllabel in ("ftp","htaccess") and label = "whm" and space = currentSpace()

Localtab
titleFor cPanel users

Content by Label
showLabelsfalse
max5
showSpacefalse
cqllabel in ("ftp","htaccess") and label = "cpanel" and space = "ALD"

Localtab
titleFor WHM users

Content by Label
showLabelsfalse
max5
showSpacefalse
cqllabel in ("ftp","htaccess") and label = "whm" and space in (currentSpace(),"ALD")

Localtab
titleFor developers

Content by Label
showLabelsfalse
max5
showSpacefalse
cqllabel in ("ftp","htaccess") and space = "SDK"