How do you restrict a vsftp user account to only bbe able to ftp from an internal lan but not external

I have a Centos server using vsftp and need to allow 1 ftp user account to only have access from the internal network but not from outside. How can I do this????
I have looked at vsftp.conf and do not see any way to accomplish this !!! HELP

Who is Participating?
pjedmondConnect With a Mentor Commented:
With respect to someone only having access from the internal network, that is a firewall issue. Merely REJECT or DROP packets to port 23 (the ftp port) if the packet is not from inside the network. That's why you don't see any way to accomplish it in your vsftp.conf file.

With respect to a single user account for vsftp here goes:

for details.

You need to change the defaults to:

userlist_deny=NO            #This means that ONLY the names in /etc/vsftpd.user_list are allowed to login
                                     #Change the /etc/vsftpd.user_list to have the 1 name you want to allow.
                                     #This name needs to be a local user account

You may wish to enable some of the chroot options? depending on your exact requirements.



pjedmond is correct you will want to block access via the firewall however the port is 21 to do this as root


this will bring up a txt GUI for setting up your firewall, go to customize and you will get a new screen
untick FTP if its already ticked and select ok then ok again and your good to go.
Oops -/me cringes with embarassment! - Of course its port 21! - Port 23 is telnet!

Sorry for the confusion!
Cloud Class® Course: C++ 11 Fundamentals

This course will introduce you to C++ 11 and teach you about syntax fundamentals.

andrew_89Author Commented:
You are both correct but I appologize for not being more clear on what I am trying to do....

I have an existing ftp server with several thousand accounts. They are all chrooted but here is the dilema::

In someones infinite wisdom they create an account with access to the root of the ftp folder structure some time ago. Apparently many people have the password for this account. The powers that be want to keep this one account but only allow ftp access from inside our network .. You can't do this from a firewall as we are talking about only blocking 1 ftp user account, not the protocol or ports.

I know this is odd but can it be done????
andrew_89Author Commented:
Okay I found how to do this by adding a line in /etc/security/access.conf file. But the line does not seem to be filetering. It works on another existing box. Do you have to restart the service or something.
andrew_89Author Commented:
I will answer my own question for solution:

Add an entry into the /etc/pam.d/vsftp file to enforce login rules in the access.conf file. After you add this line, it all works great.....

andrew_89Author Commented:

oh and sorry the line in /etc/pam.d/vsftp is:
account    required

the other entry in access.conf will depend on what you are filtering but example:

-:testuser:ALL EXCEPT 10. 192.168. (only allows this user to ftp from 10.x.x.x. and 192.168.x.x. denies everything else)
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.