Solved

PureFTP - Restrict virtual user account IP address

Posted on 2014-04-08
12
702 Views
Last Modified: 2014-06-04
I've installed PureFTP and created a virtual user account, and can successfully login.

     pure-pw useradd myvirtualuser -u mysystemuser -d /home/ftpusers/myvirtualuser

Now I'd like to restrict access for the new user by IP. The docs say you can do this using the -r flag.  So I deleted the account (restarted, etc...) and recreated the account using a list of single IP's:

     pure-pw useradd myvirtualuser -u mysystemuser -d /home/ftpusers/myvirtualuser -r xxx.xx.xxx.xx,xx.xx,xxx,xx

But when I test the account:

         ftp localhost
         Name (localhost:user): myvirtualuser
         Password:   xxxxxxx
     
The result is always 530 authentication failed
Login failed

Can anyone spot what I'm doing wrong? (Btw, I'm relatively new to linux.)
0
Comment
Question by:_agx_
  • 6
  • 6
12 Comments
 
LVL 21

Expert Comment

by:Mazdajai
ID: 39987709
What is the exact command you enter and the source ip you are trying to test?

-r and -R are handy to restrict where the user can connect from. They can be
followed by a simple IP/mask pair (-r 192.168.1.0/24), multiple pairs
separated by a coma (-r 192.168.1.0/24,10.1.0.0/16,127.0.0.1/32), single IPs
(-r 192.168.1.4,10.1.1.5), host names (-r bla.bla.net,yopcitron.com), or any
combination of those.

Open in new window

0
 
LVL 52

Author Comment

by:_agx_
ID: 39987726
It's the same as what I posted above, but with a list of ip's like this:

pure-pw useradd myvirtualuser -u mysystemuser -d /home/ftpusers/myvirtualuser -r 192.168.0.72,10.4.4.4

Open in new window


I also tried it with a single IP address (and host name). Same result.

pure-pw useradd myvirtualuser -u mysystemuser -d /home/ftpusers/myvirtualuser -r 192.168.0.72

Open in new window


The ip's are definitely valid and accessible. Since it worked no problem, without the "-r" flag I was thinking the syntax is off?
0
 
LVL 21

Expert Comment

by:Mazdajai
ID: 39987731
Can you post the output of the following?

pure-pw show myvirtualuser

Open in new window

0
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

 
LVL 52

Author Comment

by:_agx_
ID: 39987759
Login           : myvirtualuser
Password      : xxxxxxxxxx
UID            : 500 (mysystemuser)
GID            : 500 (mysystemgroup)
Directory      : /home/ftpusers/myvirtualuser/./
Full name      :
Download bandwidth      : 0Kb (unlimited)
Upload bandwidth      : 0Kb (unlimited)
Max files      : 0 (unlimited)
Max size      : 0 Mb (unlimited)
Ratio            : 0:0 (unlimited:unlimited)
Allowed local IPs      :
Denied local IPs      :
Allowed client IPs: 192.168.0.72,10.4.4.4
Denied client IPs:  
....
0
 
LVL 21

Expert Comment

by:Mazdajai
ID: 39987780
The configuration looks correct. What ip address are you connecting from?

Can you check the log for pure-ftp?
0
 
LVL 52

Author Comment

by:_agx_
ID: 39988451
My initial tests were from localhost (ie ssh'd into box hosting ftp server, from 192.168.0.72) just to verify the login worked, ie:

      ftp localhost

Should the account be able to connect from localhost? I'd need to double check, but think I also tried adding "-i localhost,127.0.0.1" to the args, but same result: 530

pure-pw useradd myvirtualuser -u mysystemuser -d /home/ftpusers/myvirtualuser -r 192.168.0.72,10.4.4.4 -i localhost,127.0.0.1

Open in new window

0
 
LVL 21

Expert Comment

by:Mazdajai
ID: 39996066
It should. Have you try to put the addresses in the 'Allowed local IPs ' directive? I can try it in my lab this evening.
0
 
LVL 52

Author Comment

by:_agx_
ID: 39996371
Yeah, I think I tried both options "-r" (with remote addresses) and "-i" (local addresses), but it's always possible I made a mistake somewhere.  I'll double check it later tonight or tomorrow.
0
 
LVL 21

Expert Comment

by:Mazdajai
ID: 40008915
Hi agx,

I am seeing the same error in my lab with the error - '530 authentication failed' without the ip filter option. I will look into more today and let you know my findings.
0
 
LVL 52

Author Comment

by:_agx_
ID: 40018189
So does that mean it worked for you with a filter? If so, what was the successful configuration?
0
 
LVL 21

Accepted Solution

by:
Mazdajai earned 500 total points
ID: 40024071
It works when with users in /etc/passwd, via Unix authentication. However, I could not find the reference of authentication in the documentation or the config file -
 UnixAuthentication            yes

Open in new window

0
 
LVL 52

Author Comment

by:_agx_
ID: 40042544
Yeah, I'd read about that setting in the tutorial I used, so I think it was already enabled , but I'll double check. What's weird is the virtual account IS linked to a regular linux user so it should work.  Not sure why it doesn't ...

I'm working on another task right now, but will try this in the next few days.
0

Featured Post

Master Your Team's Linux and Cloud Stack

Come see why top tech companies like Mailchimp and Media Temple use Linux Academy to build their employee training programs.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Using SSH Through A Bastion Host Transparently (Is the topic) 1 54
Can't See Site After DNS Resolved 7 55
SonarQube on Linux vs Windows 3 27
CENTOS DHCP Server / PXE/TFTP 14 77
I am a long time windows user and for me it is normal to have spaces in directory and file names. Changing to Linux I found myself frustrated when I moved my windows data over to my new Linux computer. The problem occurs when at the command line.…
Introduction We as admins face situation where we need to redirect websites to another. This may be required as a part of an upgrade keeping the old URL but website should be served from new URL. This document would brief you on different ways ca…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question