Anonymous FTP for all, user FTP logins only for specific IP ranges
SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Personally, I find giving FTP access to user account a security risk.
To your question, I am not aware of a solution. However, you can use proftpd with mysql and setup specific FTP accounts. You will have to enable mysql when compiling proftd. You can then jail the required user to a specific directory. Not exactly what you're looking for, but that might help.
Just thought of this will I was typing. You can also create multiple profile in your proftd config file with different ports. Then use your firewall to restrict access to specific IP on your user port (say 21 for anonymous and 2100 for authorized users). You will have to inform your authorized users to use the specified port when connecting.
Personally, I find giving FTP access to user account a security risk.
I'm not too fond of it either... one of the reasons I want to restrict it to certain IPs in the first place :-)
Quote:
Originally Posted by tux_dude
To your question, I am not aware of a solution. However, you can use proftpd with mysql and setup specific FTP accounts. You will have to enable mysql when compiling proftd. You can then jail the required user to a specific directory. Not exactly what you're looking for, but that might help.
Well that's just a virtual user using a MySQL backend if I understand it correctly? I don't mind using 'real' users accounts.
Quote:
Originally Posted by tux_dude
Just thought of this will I was typing. You can also create multiple profile in your proftd config file with different ports. Then use your firewall to restrict access to specific IP on your user port (say 21 for anonymous and 2100 for authorized users). You will have to inform your authorized users to use the specified port when connecting.
Mmm that's not ideal but the next best thing I suppose. Thanks for thinking along with me. It's also possible to launch two vsftpds from inetd probably; vsftpd lacks multiple profile support though.
Still... if someone knows a 'perfect' solution or can confirm it's just not possible, please let me know :-)
I prefer pure-ftpd myself and it can do what you want.. well it can restrict each account to one IP address an also supports quotas and bandwidth restrictions.
I prefer pure-ftpd myself and it can do what you want.. well it can restrict each account to one IP address an also supports quotas and bandwidth restrictions.
Aye indeed... but it seems ProFTPD also supports it. I can't believe I've overlooked it:
I tried this solution and it works just fine when I state a full IP address. However, I'd like to restrict login to a range, thus using wildcards in the restriction. I tried it like so:
This, I had hoped, would allow my USER to log in even though his dynamic allocated IP means that the last figure on the address change from time to time but with this configuration USER is denied access. Does anyone know what I'm doing wrong here?
So "From 1.2.3.0/24" would specify IP's
1.2.3.0 to 1.2.3.255.
And "From !1.2.3.0/24" would specify everything
EXCEPT 1.2.3.0 to 1.2.3.255.
Sorry, my bad. Yes, I know ! means NOT and in my config I don't have the ! (I copied and pasted and edited the example *slams hand to forehead*. Still, that is not the issue in my case).
Anyway, no, I haven't tried to shift the mask because I might want to restrict it to the last two series of digits (i.e. 1.2.*.*). However, I'll give it a go for the ones where I only need a wildcard on the last series of digit and post back my findings.
Thanks
/CZ
EDIT: Specifying a range using 1.2.3.0/24 seems to work. I'll see if I can work something out out for specifying range for 1.2.*.*. /Thanks!
Last edited by Count Zero; 04-20-2009 at 12:51 PM.
You're not limited to classful networks. So if you wanted 172.16.128.0 to 172.16.255.255, you would use 172.16.128.0/17. Or say you only wanted to allow everyone from your local cable company, you can do a whois lookup to see what their netblock is and permit that entire block. For example;
Code:
$ whois 209.216.72.18
Internet Junction Corporation INJU (NET-209-216-64-0-1)
209.216.64.0 - 209.216.95.255
# ARIN WHOIS database, last updated 2009-04-19 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
$ whois NET-209-216-64-0-1
OrgName: Internet Junction Corporation
OrgID: INJU
Address: 12807 W. Hillsborough Ave, Unit K
City: Tampa
StateProv: FL
PostalCode: 33635
Country: US
NetRange: 209.216.64.0 - 209.216.95.255
CIDR: 209.216.64.0/19 <<<<<<<<<<<<<<<<<<There's the Net to use
NetName: INJU
NetHandle: NET-209-216-64-0-1
(SNIP)
I did some reading up and learned a few things about CIDR (up from zero knowledge so that didn't take much) and I think I got a hang of how CIDR works when assigning/dividing ranges of IP addresses.
However, when I do a whois on a computer I want to add (or at least one with a very similar IP) I get this:
Code:
% This is the RIPE Whois query server #2.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html
% Note: This output has been filtered.
% To receive output for a database update, use the "-B" flag
% Information related to '83.248.0.0 - 83.248.207.255'
inetnum: 83.248.0.0 - 83.248.207.255
netname: COMHEM-CUSTOMER
descr: Com Hem customer broadband access
descr: ISP
descr: ********************************
Abuse & intrusion reports should be done online at:
http://www.comhem.se/portal/comhem/kundservice_abuse
********************************
country: SE
admin-c: CH1252-RIPE
tech-c: CH1252-RIPE
status: ASSIGNED PA
mnt-by: COMHEM-MNT
source: RIPE # Filtered
role: Com Hem LIR
address: Com Hem AB
Visiting: Fleminggatan 18
P.O. Box 8093
SE-104 20 STOCKHOLM
SWEDEN
remarks: ********************************
Abuse & intrusion reports should be done online at:
http://www.comhem.se/portal/comhem/kundservice_abuse
********************************
phone: +46 8 55363000
fax-no: +46 8 6601640
abuse-mailbox: abuse@comhem.com
org: ORG-chA1-RIPE
admin-c: NA1607-RIPE
tech-c: HL1251-RIPE
nic-hdl: CH1252-RIPE
mnt-by: COMHEM-MNT
source: RIPE # Filtered
% Information related to '83.248.0.0/13AS39651'
route: 83.248.0.0/13 <<<<<<<<<<<<<<<<<<<<< This one?
descr: SE-COMHEM
origin: AS39651
mnt-by: COMHEM-MNT
source: RIPE # Filtered
Now, I can't make heads and tails this as I don't get a CIDR address and I don't get any nethandle that you used to do your second whois look-up (where you got the CIDR).
Is it the route that I should use to allow the entire netblock?
That route will work, but understand that is a very large network block. Over 1/2 Million hosts. I did poke around and that entire block does seem to be assigned to the same ISP.
Using default routes will not always work, as they often point to several networks. Sometimes groups of entire countries.
If you're goal is to restrict access to your local town, region, etc, you might want to call the ISP and ask if they have a single local subnetwork and netmask you can use.
Steve
Last edited by Suncoast; 04-22-2009 at 12:11 PM.
Reason: Removed a paragraph I'm not sure about.
That route will work, but understand that is a very large network block. Over 1/2 Million hosts. I did poke around and that entire block does seem to be assigned to the same ISP.
Using default routes will not always work, as they often point to several networks. Sometimes groups of entire countries.
If you're goal is to restrict access to your local town, region, etc, you might want to call the ISP and ask if they have a single local subnetwork and netmask you can use.
Steve
Ok, I think I'm figuring it all out (well, maybe not all but hopefully enough to get by )
This is among Sweden's top ten IPS so it's probably more or less their entire network range. My friend IP is A.B.C.D. If I'd go for something like A.B.C.0/17 that would entail some 32000 hosts plus change, right? A bit slimmer than doing the entire A.B.0.0/13, which I've gathered is 8 full class B networks. But would A.B.C.0/17 necessarily include my friends dynamic IP when it changes? I.e. how likely is the C part of the IP to remain the same after he's been re-assigned a new IP?
On your subnet mask, C would likely get mangled unless it is a low number. The ISP is not likely to change the "C" octet by much. If no information is coming from the ISP, the trick is to get your subnet ID as close as possible by guessing. Hopefully, the following will explain which numbers to use. Pick how large a block you want, then finish that section until the IP address you have is in range. Of course, replace the x.x with the first two octets of the IP address.
Warning. You just have to stare at this for a minute, thinking number patterns, and it suddenly makes sense.
If netmask of /17 (255.255.128.0)
x.x.0.0 to x.x.127.255 would be x.x.0.0/17
x.x.128.0 to x.x.255.255 would be x.x.128.0/17
(Complete)
If netmask of /18 (255.255.192.0) (16,384 hosts each)
x.x.0.0 to x.x.63.255 would be x.x.0.0/18
x.x.64.0 to x.x.127.255 would be x.x.64.0/18
x.x.128.0 to x.x.191.255 would be x.x.128.0/18
x.x.192.0 to x.x.255.255 would be x.x.192.0/18
(Complete)
if /19 (255.255.224.0) (8,192 hosts each)
x.x.0.0 to x.x.31.255 would be x.x.0.0/19
x.x.32.0 to x.x.63.255 would be x.x.32.0/19
And so on, increment each line by 32.
if /20 (255.255.240.0)(4,096 hosts each)
x.x.0.0 to x.x.15.255 would be x.x.0.0/20
x.x.16.0 to x.x.31.255 would be x.x.16.0/20
And so on increment each line by 16.
So if your 3rd octet (C) was 34, you would use either
x.x.0.0/17 or
x.x.0.0/18 or
x.x.32.0/19 or
x.x.32.0/20
Yes, it does take some staring, sort of like those 3D pictures that was popular a couple of years ago but I DO see the logic in it. It's quite beautiful once one see the rationality of it.
Restricting it to 8192 hosts should be good, the third octet on his current IP would then be about in the middle of the range it encompasses and hopefully that'll do the trick when it changes.
Suncoast, you have been to a tremendous help and I've learned a lot. Thanks!
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
Anonymous FTP for all, user FTP logins only for specific IP ranges
)
