Port 21 blocking, port 22 allow for specific users; how to?

Forum Moderators: bakedjake

Message Too Old, No Replies

Port 21 blocking, port 22 allow for specific users; how to?

nadsab

6:07 am on Feb 6, 2004 (gmt 0)

Hi there,

I'd like to configure server so that I can block any specific user from logging into port 21 FTP and only allow them to login to port 22 via SFTP. I may also want to allow one user to have port21 access. How would I do that? IP chains? Can anyone give me a snippet example command to do this, or do I need to RTFM for the whole weekend - are there config files to edit or can I do this via CLI? ..:) Or can anyone point me to a clear concise tutorial on this specific subject?

This is for a RH 8 box running Apache 2.x VSFTPD.

Thanks anyone.

SeanW

2:12 pm on Feb 6, 2004 (gmt 0)

You can allow *only* certain users to log in with vsftpd

/etc/vsftpd.conf:
userlist_deny=NO

/etc/vsftpd.user_list:
list of valid users

nadsab

3:54 pm on Feb 6, 2004 (gmt 0)

Hi Sean,

Yes thanks, I know how to allow certain users to have FTP access using the config files in vsftp. But I want to allow certain users to only be able to log in using Secure FTP, which is port 22. Right now they can get in by both port 21 which is non secure ftp and port 22 which is secure ftp (SFPT). I want them only to get in via port 22 which is secure FTP.

Port 22 works fine and I am all set up with secure connections on the server, that all works fine. I can get encryped connections via port 22. Now I just want to only allow port 22 connections.

How would I do that anyone?

Wertigon

1:12 pm on Feb 7, 2004 (gmt 0)

The easiest way IMO would be to put up an IP-Tables rule where you drop everything on Port 21.

nadsab

1:57 pm on Feb 7, 2004 (gmt 0)

Thanks Wertigon,

Do you know what the syntax would be? Or are there any on line examples as to how to do this?

SeanW

3:26 pm on Feb 7, 2004 (gmt 0)

If you don't want any connections into port 21 then it would be more efficient to just not run the daemon, ie disable=yes in /etc/xinetd.d/vsftpd (then restart xinetd)

The iptables way is

iptables -A INPUT -p tcp --dport 21 -j REJECT

If you selectively wanted to allow access by IP address, you could precede it with

iptables -A INPUT -p tcp -s 192.168.0.0/16 --dport 21 -j ACCEPT

which would allow anything from the 192.168.0.0/16 space.

Sean

nadsab

3:41 pm on Feb 7, 2004 (gmt 0)

Would using "disable=yes in /etc/xinetd.d/vsftpd (then restart xinetd)" also disable port 22 SFTP connections? Because I would like to selectively allow some users access to FTP, but allow other users to only be able to login via SFTP only.

SeanW

5:20 pm on Feb 7, 2004 (gmt 0)

It's my understanding that openssl provides its own sftp server daemon.. vsftpd has nothing to do with it. With that in mind, does my original reply look any better?

Sean

nadsab

5:39 pm on Feb 7, 2004 (gmt 0)

Thanks yes much better.

So I assume the way to do it since I already have both SFTP and FTP working, all I need to do is disable specific users via VSFTP config files - that correct?

If so that's easy!

SeanW

6:53 pm on Feb 7, 2004 (gmt 0)

Yep, that's what you want.

Sean

nadsab

10:33 pm on Feb 7, 2004 (gmt 0)

Thanks Sean.