How do you restrict a vsftp user account to only bbe able to ftp from an internal lan but not external

Posted on 2006-06-08
Last Modified: 2007-12-19
I have a Centos server using vsftp and need to allow 1 ftp user account to only have access from the internal network but not from outside. How can I do this????
I have looked at vsftp.conf and do not see any way to accomplish this !!! HELP

Question by:andrew_89
    LVL 22

    Accepted Solution

    With respect to someone only having access from the internal network, that is a firewall issue. Merely REJECT or DROP packets to port 23 (the ftp port) if the packet is not from inside the network. That's why you don't see any way to accomplish it in your vsftp.conf file.

    With respect to a single user account for vsftp here goes:

    for details.

    You need to change the defaults to:

    userlist_deny=NO            #This means that ONLY the names in /etc/vsftpd.user_list are allowed to login
                                         #Change the /etc/vsftpd.user_list to have the 1 name you want to allow.
                                         #This name needs to be a local user account

    You may wish to enable some of the chroot options? depending on your exact requirements.


    LVL 16

    Expert Comment


    pjedmond is correct you will want to block access via the firewall however the port is 21 to do this as root


    this will bring up a txt GUI for setting up your firewall, go to customize and you will get a new screen
    untick FTP if its already ticked and select ok then ok again and your good to go.
    LVL 22

    Expert Comment

    Oops -/me cringes with embarassment! - Of course its port 21! - Port 23 is telnet!

    Sorry for the confusion!
    LVL 1

    Author Comment

    You are both correct but I appologize for not being more clear on what I am trying to do....

    I have an existing ftp server with several thousand accounts. They are all chrooted but here is the dilema::

    In someones infinite wisdom they create an account with access to the root of the ftp folder structure some time ago. Apparently many people have the password for this account. The powers that be want to keep this one account but only allow ftp access from inside our network .. You can't do this from a firewall as we are talking about only blocking 1 ftp user account, not the protocol or ports.

    I know this is odd but can it be done????
    LVL 1

    Author Comment

    Okay I found how to do this by adding a line in /etc/security/access.conf file. But the line does not seem to be filetering. It works on another existing box. Do you have to restart the service or something.
    LVL 1

    Author Comment

    I will answer my own question for solution:

    Add an entry into the /etc/pam.d/vsftp file to enforce login rules in the access.conf file. After you add this line, it all works great.....

    LVL 1

    Author Comment


    oh and sorry the line in /etc/pam.d/vsftp is:
    account    required

    the other entry in access.conf will depend on what you are filtering but example:

    -:testuser:ALL EXCEPT 10. 192.168. (only allows this user to ftp from 10.x.x.x. and 192.168.x.x. denies everything else)

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Enabling OSINT in Activity Based Intelligence

    Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

    How many times have you wanted to quickly do the same thing to a list but found yourself typing it again and again? I first figured out a small time saver with the up arrow to recall the last command but that can only get you so far if you have a bi…
    Setting up Secure Ubuntu server on VMware 1.      Insert the Ubuntu Server distribution CD or attach the ISO of the CD which is in the “Datastore”. Note that it is important to install the x64 edition on servers, not the X86 editions. 2.      Power on th…
    Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
    Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.

    794 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now