[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

PureFTP - Restrict virtual user account IP address

Posted on 2014-04-08
12
Medium Priority
?
876 Views
Last Modified: 2014-06-04
I've installed PureFTP and created a virtual user account, and can successfully login.

     pure-pw useradd myvirtualuser -u mysystemuser -d /home/ftpusers/myvirtualuser

Now I'd like to restrict access for the new user by IP. The docs say you can do this using the -r flag.  So I deleted the account (restarted, etc...) and recreated the account using a list of single IP's:

     pure-pw useradd myvirtualuser -u mysystemuser -d /home/ftpusers/myvirtualuser -r xxx.xx.xxx.xx,xx.xx,xxx,xx

But when I test the account:

         ftp localhost
         Name (localhost:user): myvirtualuser
         Password:   xxxxxxx
     
The result is always 530 authentication failed
Login failed

Can anyone spot what I'm doing wrong? (Btw, I'm relatively new to linux.)
0
Comment
Question by:_agx_
  • 6
  • 6
12 Comments
 
LVL 21

Expert Comment

by:Mazdajai
ID: 39987709
What is the exact command you enter and the source ip you are trying to test?

-r and -R are handy to restrict where the user can connect from. They can be
followed by a simple IP/mask pair (-r 192.168.1.0/24), multiple pairs
separated by a coma (-r 192.168.1.0/24,10.1.0.0/16,127.0.0.1/32), single IPs
(-r 192.168.1.4,10.1.1.5), host names (-r bla.bla.net,yopcitron.com), or any
combination of those.

Open in new window

0
 
LVL 52

Author Comment

by:_agx_
ID: 39987726
It's the same as what I posted above, but with a list of ip's like this:

pure-pw useradd myvirtualuser -u mysystemuser -d /home/ftpusers/myvirtualuser -r 192.168.0.72,10.4.4.4

Open in new window


I also tried it with a single IP address (and host name). Same result.

pure-pw useradd myvirtualuser -u mysystemuser -d /home/ftpusers/myvirtualuser -r 192.168.0.72

Open in new window


The ip's are definitely valid and accessible. Since it worked no problem, without the "-r" flag I was thinking the syntax is off?
0
 
LVL 21

Expert Comment

by:Mazdajai
ID: 39987731
Can you post the output of the following?

pure-pw show myvirtualuser

Open in new window

0
Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

 
LVL 52

Author Comment

by:_agx_
ID: 39987759
Login           : myvirtualuser
Password      : xxxxxxxxxx
UID            : 500 (mysystemuser)
GID            : 500 (mysystemgroup)
Directory      : /home/ftpusers/myvirtualuser/./
Full name      :
Download bandwidth      : 0Kb (unlimited)
Upload bandwidth      : 0Kb (unlimited)
Max files      : 0 (unlimited)
Max size      : 0 Mb (unlimited)
Ratio            : 0:0 (unlimited:unlimited)
Allowed local IPs      :
Denied local IPs      :
Allowed client IPs: 192.168.0.72,10.4.4.4
Denied client IPs:  
....
0
 
LVL 21

Expert Comment

by:Mazdajai
ID: 39987780
The configuration looks correct. What ip address are you connecting from?

Can you check the log for pure-ftp?
0
 
LVL 52

Author Comment

by:_agx_
ID: 39988451
My initial tests were from localhost (ie ssh'd into box hosting ftp server, from 192.168.0.72) just to verify the login worked, ie:

      ftp localhost

Should the account be able to connect from localhost? I'd need to double check, but think I also tried adding "-i localhost,127.0.0.1" to the args, but same result: 530

pure-pw useradd myvirtualuser -u mysystemuser -d /home/ftpusers/myvirtualuser -r 192.168.0.72,10.4.4.4 -i localhost,127.0.0.1

Open in new window

0
 
LVL 21

Expert Comment

by:Mazdajai
ID: 39996066
It should. Have you try to put the addresses in the 'Allowed local IPs ' directive? I can try it in my lab this evening.
0
 
LVL 52

Author Comment

by:_agx_
ID: 39996371
Yeah, I think I tried both options "-r" (with remote addresses) and "-i" (local addresses), but it's always possible I made a mistake somewhere.  I'll double check it later tonight or tomorrow.
0
 
LVL 21

Expert Comment

by:Mazdajai
ID: 40008915
Hi agx,

I am seeing the same error in my lab with the error - '530 authentication failed' without the ip filter option. I will look into more today and let you know my findings.
0
 
LVL 52

Author Comment

by:_agx_
ID: 40018189
So does that mean it worked for you with a filter? If so, what was the successful configuration?
0
 
LVL 21

Accepted Solution

by:
Mazdajai earned 2000 total points
ID: 40024071
It works when with users in /etc/passwd, via Unix authentication. However, I could not find the reference of authentication in the documentation or the config file -
 UnixAuthentication            yes

Open in new window

0
 
LVL 52

Author Comment

by:_agx_
ID: 40042544
Yeah, I'd read about that setting in the tutorial I used, so I think it was already enabled , but I'll double check. What's weird is the virtual account IS linked to a regular linux user so it should work.  Not sure why it doesn't ...

I'm working on another task right now, but will try this in the next few days.
0

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you have a server on collocation with the super-fast CPU, that doesn't mean that you get it running at full power. Here is a preamble. When doing inventory of Linux servers, that I'm administering, I've found that some of them are running on l…
Introduction We as admins face situation where we need to redirect websites to another. This may be required as a part of an upgrade keeping the old URL but website should be served from new URL. This document would brief you on different ways ca…
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
Suggested Courses
Course of the Month20 days, left to enroll

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question