PureFTP - Restrict virtual user account IP address

I've installed PureFTP and created a virtual user account, and can successfully login.

     pure-pw useradd myvirtualuser -u mysystemuser -d /home/ftpusers/myvirtualuser

Now I'd like to restrict access for the new user by IP. The docs say you can do this using the -r flag.  So I deleted the account (restarted, etc...) and recreated the account using a list of single IP's:

     pure-pw useradd myvirtualuser -u mysystemuser -d /home/ftpusers/myvirtualuser -r xxx.xx.xxx.xx,xx.xx,xxx,xx

But when I test the account:

         ftp localhost
         Name (localhost:user): myvirtualuser
         Password:   xxxxxxx
     
The result is always 530 authentication failed
Login failed

Can anyone spot what I'm doing wrong? (Btw, I'm relatively new to linux.)
LVL 53
_agx_Asked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
MazdajaiConnect With a Mentor Commented:
It works when with users in /etc/passwd, via Unix authentication. However, I could not find the reference of authentication in the documentation or the config file -
 UnixAuthentication            yes

Open in new window

0
 
MazdajaiCommented:
What is the exact command you enter and the source ip you are trying to test?

-r and -R are handy to restrict where the user can connect from. They can be
followed by a simple IP/mask pair (-r 192.168.1.0/24), multiple pairs
separated by a coma (-r 192.168.1.0/24,10.1.0.0/16,127.0.0.1/32), single IPs
(-r 192.168.1.4,10.1.1.5), host names (-r bla.bla.net,yopcitron.com), or any
combination of those.

Open in new window

0
 
_agx_Author Commented:
It's the same as what I posted above, but with a list of ip's like this:

pure-pw useradd myvirtualuser -u mysystemuser -d /home/ftpusers/myvirtualuser -r 192.168.0.72,10.4.4.4

Open in new window


I also tried it with a single IP address (and host name). Same result.

pure-pw useradd myvirtualuser -u mysystemuser -d /home/ftpusers/myvirtualuser -r 192.168.0.72

Open in new window


The ip's are definitely valid and accessible. Since it worked no problem, without the "-r" flag I was thinking the syntax is off?
0
Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
MazdajaiCommented:
Can you post the output of the following?

pure-pw show myvirtualuser

Open in new window

0
 
_agx_Author Commented:
Login           : myvirtualuser
Password      : xxxxxxxxxx
UID            : 500 (mysystemuser)
GID            : 500 (mysystemgroup)
Directory      : /home/ftpusers/myvirtualuser/./
Full name      :
Download bandwidth      : 0Kb (unlimited)
Upload bandwidth      : 0Kb (unlimited)
Max files      : 0 (unlimited)
Max size      : 0 Mb (unlimited)
Ratio            : 0:0 (unlimited:unlimited)
Allowed local IPs      :
Denied local IPs      :
Allowed client IPs: 192.168.0.72,10.4.4.4
Denied client IPs:  
....
0
 
MazdajaiCommented:
The configuration looks correct. What ip address are you connecting from?

Can you check the log for pure-ftp?
0
 
_agx_Author Commented:
My initial tests were from localhost (ie ssh'd into box hosting ftp server, from 192.168.0.72) just to verify the login worked, ie:

      ftp localhost

Should the account be able to connect from localhost? I'd need to double check, but think I also tried adding "-i localhost,127.0.0.1" to the args, but same result: 530

pure-pw useradd myvirtualuser -u mysystemuser -d /home/ftpusers/myvirtualuser -r 192.168.0.72,10.4.4.4 -i localhost,127.0.0.1

Open in new window

0
 
MazdajaiCommented:
It should. Have you try to put the addresses in the 'Allowed local IPs ' directive? I can try it in my lab this evening.
0
 
_agx_Author Commented:
Yeah, I think I tried both options "-r" (with remote addresses) and "-i" (local addresses), but it's always possible I made a mistake somewhere.  I'll double check it later tonight or tomorrow.
0
 
MazdajaiCommented:
Hi agx,

I am seeing the same error in my lab with the error - '530 authentication failed' without the ip filter option. I will look into more today and let you know my findings.
0
 
_agx_Author Commented:
So does that mean it worked for you with a filter? If so, what was the successful configuration?
0
 
_agx_Author Commented:
Yeah, I'd read about that setting in the tutorial I used, so I think it was already enabled , but I'll double check. What's weird is the virtual account IS linked to a regular linux user so it should work.  Not sure why it doesn't ...

I'm working on another task right now, but will try this in the next few days.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.