Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

PureFTP - Restrict virtual user account IP address

Posted on 2014-04-08
12
718 Views
Last Modified: 2014-06-04
I've installed PureFTP and created a virtual user account, and can successfully login.

     pure-pw useradd myvirtualuser -u mysystemuser -d /home/ftpusers/myvirtualuser

Now I'd like to restrict access for the new user by IP. The docs say you can do this using the -r flag.  So I deleted the account (restarted, etc...) and recreated the account using a list of single IP's:

     pure-pw useradd myvirtualuser -u mysystemuser -d /home/ftpusers/myvirtualuser -r xxx.xx.xxx.xx,xx.xx,xxx,xx

But when I test the account:

         ftp localhost
         Name (localhost:user): myvirtualuser
         Password:   xxxxxxx
     
The result is always 530 authentication failed
Login failed

Can anyone spot what I'm doing wrong? (Btw, I'm relatively new to linux.)
0
Comment
Question by:_agx_
  • 6
  • 6
12 Comments
 
LVL 21

Expert Comment

by:Mazdajai
ID: 39987709
What is the exact command you enter and the source ip you are trying to test?

-r and -R are handy to restrict where the user can connect from. They can be
followed by a simple IP/mask pair (-r 192.168.1.0/24), multiple pairs
separated by a coma (-r 192.168.1.0/24,10.1.0.0/16,127.0.0.1/32), single IPs
(-r 192.168.1.4,10.1.1.5), host names (-r bla.bla.net,yopcitron.com), or any
combination of those.

Open in new window

0
 
LVL 52

Author Comment

by:_agx_
ID: 39987726
It's the same as what I posted above, but with a list of ip's like this:

pure-pw useradd myvirtualuser -u mysystemuser -d /home/ftpusers/myvirtualuser -r 192.168.0.72,10.4.4.4

Open in new window


I also tried it with a single IP address (and host name). Same result.

pure-pw useradd myvirtualuser -u mysystemuser -d /home/ftpusers/myvirtualuser -r 192.168.0.72

Open in new window


The ip's are definitely valid and accessible. Since it worked no problem, without the "-r" flag I was thinking the syntax is off?
0
 
LVL 21

Expert Comment

by:Mazdajai
ID: 39987731
Can you post the output of the following?

pure-pw show myvirtualuser

Open in new window

0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 
LVL 52

Author Comment

by:_agx_
ID: 39987759
Login           : myvirtualuser
Password      : xxxxxxxxxx
UID            : 500 (mysystemuser)
GID            : 500 (mysystemgroup)
Directory      : /home/ftpusers/myvirtualuser/./
Full name      :
Download bandwidth      : 0Kb (unlimited)
Upload bandwidth      : 0Kb (unlimited)
Max files      : 0 (unlimited)
Max size      : 0 Mb (unlimited)
Ratio            : 0:0 (unlimited:unlimited)
Allowed local IPs      :
Denied local IPs      :
Allowed client IPs: 192.168.0.72,10.4.4.4
Denied client IPs:  
....
0
 
LVL 21

Expert Comment

by:Mazdajai
ID: 39987780
The configuration looks correct. What ip address are you connecting from?

Can you check the log for pure-ftp?
0
 
LVL 52

Author Comment

by:_agx_
ID: 39988451
My initial tests were from localhost (ie ssh'd into box hosting ftp server, from 192.168.0.72) just to verify the login worked, ie:

      ftp localhost

Should the account be able to connect from localhost? I'd need to double check, but think I also tried adding "-i localhost,127.0.0.1" to the args, but same result: 530

pure-pw useradd myvirtualuser -u mysystemuser -d /home/ftpusers/myvirtualuser -r 192.168.0.72,10.4.4.4 -i localhost,127.0.0.1

Open in new window

0
 
LVL 21

Expert Comment

by:Mazdajai
ID: 39996066
It should. Have you try to put the addresses in the 'Allowed local IPs ' directive? I can try it in my lab this evening.
0
 
LVL 52

Author Comment

by:_agx_
ID: 39996371
Yeah, I think I tried both options "-r" (with remote addresses) and "-i" (local addresses), but it's always possible I made a mistake somewhere.  I'll double check it later tonight or tomorrow.
0
 
LVL 21

Expert Comment

by:Mazdajai
ID: 40008915
Hi agx,

I am seeing the same error in my lab with the error - '530 authentication failed' without the ip filter option. I will look into more today and let you know my findings.
0
 
LVL 52

Author Comment

by:_agx_
ID: 40018189
So does that mean it worked for you with a filter? If so, what was the successful configuration?
0
 
LVL 21

Accepted Solution

by:
Mazdajai earned 500 total points
ID: 40024071
It works when with users in /etc/passwd, via Unix authentication. However, I could not find the reference of authentication in the documentation or the config file -
 UnixAuthentication            yes

Open in new window

0
 
LVL 52

Author Comment

by:_agx_
ID: 40042544
Yeah, I'd read about that setting in the tutorial I used, so I think it was already enabled , but I'll double check. What's weird is the virtual account IS linked to a regular linux user so it should work.  Not sure why it doesn't ...

I'm working on another task right now, but will try this in the next few days.
0

Featured Post

Master Your Team's Linux and Cloud Stack

Come see why top tech companies like Mailchimp and Media Temple use Linux Academy to build their employee training programs.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
wifi not working on Raspberry Pi 3? 2 79
Linux/Apache File Ownership/Permissions 1 77
how to rebuild XFS volume from LV 19 89
Penetration Testing home based work 3 91
Linux users are sometimes dumbfounded by the severe lack of documentation on a topic. Sometimes, the documentation is copious, but other times, you end up with some obscure "it varies depending on your distribution" over and over when searching for …
It’s 2016. Password authentication should be dead — or at least close to dying. But, unfortunately, it has not traversed Quagga stage yet. Using password authentication is like laundering hotel guest linens with a washboard — it’s Passé.
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question