Only allow FTP access from certain hosts

Q I have an external server that acts as an FTP server for the company personnel and also as an anonymous FTP server for our clients. It's been a good little server until recently, where we find that it's getting abused by folks other than our clients and is causing some network bandwidth issues for us. We don't have issues if the server is running after hours, as that doesn't affect the staff that use the same network during the day. So I put the service in a cron job and have it stop in the morning and restart when the office closes down for the day. This solved the network bandwidth issues, but then caused another problem.

The staff that need to update the files on the FTP server need to be able to do so during the working hours of the office. I need to have it running for the local staff but not running from the outside. I have some thoughts but they deal with modifying either hosts.allow/hosts.deny files or using some kind of xinetd trick to get them to work. I'm not sure what would be a good solution for this. The server is running CentOS 4.5, using vsftp running as a standalone daemon. The machine only has a single network card and IP address and is only visible via that address.

A While it is possible to do what you want, only making the public server available out of office hours, this is not the ideal solution. It is reasonable to assume that those abusing your server are not always putting legal material there, which could lead to legal action against you or losing your Internet connection. Remember, this is your server and you are responsible for the content available from it. Providing anonymous upload and download capability is asking for trouble. If you must do this, keep the upload area separate from the downloads, so people cannot download material that has been anonymously uploaded, it has to be moved over by someone with a login account. A better solution is to disable anonymous uploads altogether and provide your clients with their own FTP accounts. If you really want to continue offering unrestricted anonymous access out of office hours, you can use the hosts.allow and hosts.deny files in /etc. You enable this by putting

tcp_wrappers=YES

in /etc/vsftpd.conf. Then ensure your local network has access - add this line to /etc/hosts.allow

vsftpd: 192.168.1.

Note the trailing "." on the address to match the whole subnet, change the address to match your network. Now put these two lines into /etc/ cron.d/vsftpd

0 18 * * 1-5 root sed -i '/^vsftpd/d'
/etc/hosts.deny
0 8 * * 1-5 root echo "vsftpd:
ALL" >>/etc/hosts.deny

and force cron to reload with

killall -HUP cron

This will deny modify hosts.deny to deny all addresses, except those specified in hosts.allow, between 0800 and 1800 Monday to Friday and clear the block at other times.

Follow us on Identi.ca or Twitter

Username:   Password:
Create Account | About TuxRadar