• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 576
  • Last Modified:

How do you restrict a vsftp user account to only bbe able to ftp from an internal lan but not external

I have a Centos server using vsftp and need to allow 1 ftp user account to only have access from the internal network but not from outside. How can I do this????
I have looked at vsftp.conf and do not see any way to accomplish this !!! HELP


Thanks
Andy
0
andrew_89
Asked:
andrew_89
  • 4
  • 2
1 Solution
 
pjedmondCommented:
With respect to someone only having access from the internal network, that is a firewall issue. Merely REJECT or DROP packets to port 23 (the ftp port) if the packet is not from inside the network. That's why you don't see any way to accomplish it in your vsftp.conf file.

With respect to a single user account for vsftp here goes:

http://www.redhat.com/docs/manuals/enterprise/RHEL-3-Manual/ref-guide/s1-ftp-vsftpd-conf.html

for details.

You need to change the defaults to:

anonymous_enable=no
userlist_deny=NO            #This means that ONLY the names in /etc/vsftpd.user_list are allowed to login
                                     #Change the /etc/vsftpd.user_list to have the 1 name you want to allow.
                                     #This name needs to be a local user account

You may wish to enable some of the chroot options? depending on your exact requirements.

HTH:)





0
 
xDamoxCommented:
Hi,

pjedmond is correct you will want to block access via the firewall however the port is 21 to do this as root
type:

lokkit

this will bring up a txt GUI for setting up your firewall, go to customize and you will get a new screen
untick FTP if its already ticked and select ok then ok again and your good to go.
0
 
pjedmondCommented:
Oops -/me cringes with embarassment! - Of course its port 21! - Port 23 is telnet!

Sorry for the confusion!
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
andrew_89Author Commented:
You are both correct but I appologize for not being more clear on what I am trying to do....


I have an existing ftp server with several thousand accounts. They are all chrooted but here is the dilema::

In someones infinite wisdom they create an account with access to the root of the ftp folder structure some time ago. Apparently many people have the password for this account. The powers that be want to keep this one account but only allow ftp access from inside our network .. You can't do this from a firewall as we are talking about only blocking 1 ftp user account, not the protocol or ports.

I know this is odd but can it be done????
0
 
andrew_89Author Commented:
Okay I found how to do this by adding a line in /etc/security/access.conf file. But the line does not seem to be filetering. It works on another existing box. Do you have to restart the service or something.
0
 
andrew_89Author Commented:
I will answer my own question for solution:

Add an entry into the /etc/pam.d/vsftp file to enforce login rules in the access.conf file. After you add this line, it all works great.....

0
 
andrew_89Author Commented:

oh and sorry the line in /etc/pam.d/vsftp is:
account    required pam_access.so

the other entry in access.conf will depend on what you are filtering but example:

-:testuser:ALL EXCEPT 10. 192.168. (only allows this user to ftp from 10.x.x.x. and 192.168.x.x. denies everything else)
0

Featured Post

Microsoft Certification Exam 74-409

VeeamĀ® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now