Solved

PureFTP - Restrict virtual user account IP address

Posted on 2014-04-08
12
753 Views
Last Modified: 2014-06-04
I've installed PureFTP and created a virtual user account, and can successfully login.

     pure-pw useradd myvirtualuser -u mysystemuser -d /home/ftpusers/myvirtualuser

Now I'd like to restrict access for the new user by IP. The docs say you can do this using the -r flag.  So I deleted the account (restarted, etc...) and recreated the account using a list of single IP's:

     pure-pw useradd myvirtualuser -u mysystemuser -d /home/ftpusers/myvirtualuser -r xxx.xx.xxx.xx,xx.xx,xxx,xx

But when I test the account:

         ftp localhost
         Name (localhost:user): myvirtualuser
         Password:   xxxxxxx
     
The result is always 530 authentication failed
Login failed

Can anyone spot what I'm doing wrong? (Btw, I'm relatively new to linux.)
0
Comment
Question by:_agx_
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 6
12 Comments
 
LVL 21

Expert Comment

by:Mazdajai
ID: 39987709
What is the exact command you enter and the source ip you are trying to test?

-r and -R are handy to restrict where the user can connect from. They can be
followed by a simple IP/mask pair (-r 192.168.1.0/24), multiple pairs
separated by a coma (-r 192.168.1.0/24,10.1.0.0/16,127.0.0.1/32), single IPs
(-r 192.168.1.4,10.1.1.5), host names (-r bla.bla.net,yopcitron.com), or any
combination of those.

Open in new window

0
 
LVL 52

Author Comment

by:_agx_
ID: 39987726
It's the same as what I posted above, but with a list of ip's like this:

pure-pw useradd myvirtualuser -u mysystemuser -d /home/ftpusers/myvirtualuser -r 192.168.0.72,10.4.4.4

Open in new window


I also tried it with a single IP address (and host name). Same result.

pure-pw useradd myvirtualuser -u mysystemuser -d /home/ftpusers/myvirtualuser -r 192.168.0.72

Open in new window


The ip's are definitely valid and accessible. Since it worked no problem, without the "-r" flag I was thinking the syntax is off?
0
 
LVL 21

Expert Comment

by:Mazdajai
ID: 39987731
Can you post the output of the following?

pure-pw show myvirtualuser

Open in new window

0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 52

Author Comment

by:_agx_
ID: 39987759
Login           : myvirtualuser
Password      : xxxxxxxxxx
UID            : 500 (mysystemuser)
GID            : 500 (mysystemgroup)
Directory      : /home/ftpusers/myvirtualuser/./
Full name      :
Download bandwidth      : 0Kb (unlimited)
Upload bandwidth      : 0Kb (unlimited)
Max files      : 0 (unlimited)
Max size      : 0 Mb (unlimited)
Ratio            : 0:0 (unlimited:unlimited)
Allowed local IPs      :
Denied local IPs      :
Allowed client IPs: 192.168.0.72,10.4.4.4
Denied client IPs:  
....
0
 
LVL 21

Expert Comment

by:Mazdajai
ID: 39987780
The configuration looks correct. What ip address are you connecting from?

Can you check the log for pure-ftp?
0
 
LVL 52

Author Comment

by:_agx_
ID: 39988451
My initial tests were from localhost (ie ssh'd into box hosting ftp server, from 192.168.0.72) just to verify the login worked, ie:

      ftp localhost

Should the account be able to connect from localhost? I'd need to double check, but think I also tried adding "-i localhost,127.0.0.1" to the args, but same result: 530

pure-pw useradd myvirtualuser -u mysystemuser -d /home/ftpusers/myvirtualuser -r 192.168.0.72,10.4.4.4 -i localhost,127.0.0.1

Open in new window

0
 
LVL 21

Expert Comment

by:Mazdajai
ID: 39996066
It should. Have you try to put the addresses in the 'Allowed local IPs ' directive? I can try it in my lab this evening.
0
 
LVL 52

Author Comment

by:_agx_
ID: 39996371
Yeah, I think I tried both options "-r" (with remote addresses) and "-i" (local addresses), but it's always possible I made a mistake somewhere.  I'll double check it later tonight or tomorrow.
0
 
LVL 21

Expert Comment

by:Mazdajai
ID: 40008915
Hi agx,

I am seeing the same error in my lab with the error - '530 authentication failed' without the ip filter option. I will look into more today and let you know my findings.
0
 
LVL 52

Author Comment

by:_agx_
ID: 40018189
So does that mean it worked for you with a filter? If so, what was the successful configuration?
0
 
LVL 21

Accepted Solution

by:
Mazdajai earned 500 total points
ID: 40024071
It works when with users in /etc/passwd, via Unix authentication. However, I could not find the reference of authentication in the documentation or the config file -
 UnixAuthentication            yes

Open in new window

0
 
LVL 52

Author Comment

by:_agx_
ID: 40042544
Yeah, I'd read about that setting in the tutorial I used, so I think it was already enabled , but I'll double check. What's weird is the virtual account IS linked to a regular linux user so it should work.  Not sure why it doesn't ...

I'm working on another task right now, but will try this in the next few days.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

How many times have you wanted to quickly do the same thing to a list but found yourself typing it again and again? I first figured out a small time saver with the up arrow to recall the last command but that can only get you so far if you have a bi…
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question