andrew_89
asked on
How do you restrict a vsftp user account to only bbe able to ftp from an internal lan but not external
I have a Centos server using vsftp and need to allow 1 ftp user account to only have access from the internal network but not from outside. How can I do this????
I have looked at vsftp.conf and do not see any way to accomplish this !!! HELP
Thanks
Andy
I have looked at vsftp.conf and do not see any way to accomplish this !!! HELP
Thanks
Andy
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Oops -/me cringes with embarassment! - Of course its port 21! - Port 23 is telnet!
Sorry for the confusion!
Sorry for the confusion!
ASKER
You are both correct but I appologize for not being more clear on what I am trying to do....
I have an existing ftp server with several thousand accounts. They are all chrooted but here is the dilema::
In someones infinite wisdom they create an account with access to the root of the ftp folder structure some time ago. Apparently many people have the password for this account. The powers that be want to keep this one account but only allow ftp access from inside our network .. You can't do this from a firewall as we are talking about only blocking 1 ftp user account, not the protocol or ports.
I know this is odd but can it be done????
I have an existing ftp server with several thousand accounts. They are all chrooted but here is the dilema::
In someones infinite wisdom they create an account with access to the root of the ftp folder structure some time ago. Apparently many people have the password for this account. The powers that be want to keep this one account but only allow ftp access from inside our network .. You can't do this from a firewall as we are talking about only blocking 1 ftp user account, not the protocol or ports.
I know this is odd but can it be done????
ASKER
Okay I found how to do this by adding a line in /etc/security/access.conf file. But the line does not seem to be filetering. It works on another existing box. Do you have to restart the service or something.
ASKER
I will answer my own question for solution:
Add an entry into the /etc/pam.d/vsftp file to enforce login rules in the access.conf file. After you add this line, it all works great.....
Add an entry into the /etc/pam.d/vsftp file to enforce login rules in the access.conf file. After you add this line, it all works great.....
ASKER
oh and sorry the line in /etc/pam.d/vsftp is:
account required pam_access.so
the other entry in access.conf will depend on what you are filtering but example:
-:testuser:ALL EXCEPT 10. 192.168. (only allows this user to ftp from 10.x.x.x. and 192.168.x.x. denies everything else)
pjedmond is correct you will want to block access via the firewall however the port is 21 to do this as root
type:
lokkit
this will bring up a txt GUI for setting up your firewall, go to customize and you will get a new screen
untick FTP if its already ticked and select ok then ok again and your good to go.