How to allow FTP in hosts.allow

Protecting your Linux box

How to allow FTP in hosts.allow

Postby Learner » Tue Jan 08, 2008 9:35 am

AOA

Dear All !

I am using FreeBSD 6.2. I am facing a problem that my machine is reports me a number of invalid user attempts from outside. I want to secure it by using "hosts.allow", but when i do this my FTP services also stop working. The FTP server package is "vsftpd".

Please guide ...
Thanks & Regards


Muhammad Ali
Learner
Lance Naik
 
Posts: 41
Joined: Wed Nov 08, 2006 2:40 am

Postby lambda » Tue Jan 08, 2008 10:03 am

what have you tried to do?
Watch out for the Manners Taliban!
Isn't it amazing how so many people can type "linuxpakistan.net" into their browsers but not "google.com"?
lambda
Major General
 
Posts: 3452
Joined: Tue May 27, 2003 7:04 pm
Website: http://www.hungry.com/~fn/
Location: Lahore

Postby Learner » Tue Jan 08, 2008 11:14 am

Dear Lambda !

Thanks for the reply.

What I have done is a little change in "hosts.allow". That is


# Start by allowing everything (this prevents the rest of the file
# from working, so remove it when you need protection).
# The rules here work on a "First match wins" basis.
##ALL : ALL : allow (Changed)

# Wrapping sshd(8) is not normally a good idea, but if you
# need to do it, here's how
#sshd : .evil.cracker.example.com : deny
sshd : 192.168.1.6,192.168.1.7 : allow ##(Changed)
sshd : ALL : deny ##(Changed)

Just uncommected two lines ...
Thanks & Regards





Muhammad Ali
Learner
Lance Naik
 
Posts: 41
Joined: Wed Nov 08, 2006 2:40 am

Postby lambda » Wed Jan 09, 2008 1:57 am

add something like

Code: Select all

vsftpd : 192.168.0.1/24 : allow
to allow access from that network. by commenting out the "ALL" entry, you've pretty much disabled all services by default.
Watch out for the Manners Taliban!
Isn't it amazing how so many people can type "linuxpakistan.net" into their browsers but not "google.com"?
lambda
Major General
 
Posts: 3452
Joined: Tue May 27, 2003 7:04 pm
Website: http://www.hungry.com/~fn/
Location: Lahore

Postby Learner » Wed Jan 09, 2008 9:18 pm

AOA

Dear Lambda !

Thanks for the reply. I have tried it, I want to make FTP available for all. The option I used is

vsftpd : localhost : allow
vsftpd : ALL : allow

Now its working, thanks once again for the guidance.
Thanks & Regards





Muhammad Ali
Learner
Lance Naik
 
Posts: 41
Joined: Wed Nov 08, 2006 2:40 am

Postby lambda » Thu Jan 10, 2008 4:09 pm

you need just the second entry, not both.
Watch out for the Manners Taliban!
Isn't it amazing how so many people can type "linuxpakistan.net" into their browsers but not "google.com"?
lambda
Major General
 
Posts: 3452
Joined: Tue May 27, 2003 7:04 pm
Website: http://www.hungry.com/~fn/
Location: Lahore

Postby shahzor » Thu Sep 11, 2008 10:58 am

but how did you secure it, din't get this point. if its

vsftpd : ALL : allow

then who is not allowed.

thanks
LinuxBoy
shahzor
Naik
 
Posts: 72
Joined: Thu Jun 29, 2006 11:33 am
ICQ: 000
WLM: none
Yahoo Messenger: shahzor007@yahoo.com
AOL: none
Location: Quetta

Postby lambda » Thu Sep 11, 2008 12:31 pm

read his last post again. he says
I have tried it, I want to make FTP available for all.
Watch out for the Manners Taliban!
Isn't it amazing how so many people can type "linuxpakistan.net" into their browsers but not "google.com"?
lambda
Major General
 
Posts: 3452
Joined: Tue May 27, 2003 7:04 pm
Website: http://www.hungry.com/~fn/
Location: Lahore

Postby x2oxen » Fri Sep 12, 2008 8:21 am

Is there any way to stop something like dictionary attack on ftp service??
Muhammad Usman
+92-321-6640501
Chemonics International
http://usmanpk.com
x2oxen
Major General
 
Posts: 1114
Joined: Wed Aug 22, 2007 3:17 pm
Website: http://usmanpk.com
WLM: x2oxen@hotmail.com
Yahoo Messenger: x2oxen
Location: Faisalabad

Re: How to allow FTP in hosts.allow

Postby shahzor » Fri Sep 12, 2008 2:09 pm

Learner wrote:I want to secure it by using "hosts.allow"
Please guide ...


it was just about the above line, when you want to secure it by hosts.allow then should have a IP address or a subnet to be allowed and deny every one else if you say allow every one then you can't say that you are going to secure it.


thanks
shahz
LinuxBoy
shahzor
Naik
 
Posts: 72
Joined: Thu Jun 29, 2006 11:33 am
ICQ: 000
WLM: none
Yahoo Messenger: shahzor007@yahoo.com
AOL: none
Location: Quetta

Postby lambda » Sat Sep 13, 2008 3:13 pm

once again, it should be clear that he changed his mind. he said he wanted everyone to use ftp.
Watch out for the Manners Taliban!
Isn't it amazing how so many people can type "linuxpakistan.net" into their browsers but not "google.com"?
lambda
Major General
 
Posts: 3452
Joined: Tue May 27, 2003 7:04 pm
Website: http://www.hungry.com/~fn/
Location: Lahore

regarding stopping dictionary attacks on ftp

Postby ghulam yaseen » Tue Jan 13, 2009 1:12 pm

Hello :);

Please follow the following steps to stops the dictionary attacks on the ftp server

1. Create the group 'www' with r/w privileges to the /srv/www/htdocs folder (the website folder) if it doesn't exist already.
2. Create the user 'ftp_remote_admin' and have it belong in the group
'www' (So it will have r/w access to the http server folder.) Also, set the users home folder to /srv/www/htdocs.
3. Restrict access to only those who login (No anonymous), and only to the user 'ftp_remote_admin' via the vsftpd config file.
4. Set vsftpd.conf to move users into their home folder on login.

Regards,
Ghulam Yaseen
x2oxen wrote:Is there any way to stop something like dictionary attack on ftp service??
ghulam yaseen
Naik
 
Posts: 68
Joined: Thu Aug 07, 2008 6:09 pm
Location: karachi

regarding allow only one host and reject all

Postby ghulam yaseen » Tue Jan 13, 2009 1:18 pm

It is also possible that we restrict all others except one user

vsftpd:IP_address: Allow
vsftpd:ALL:Deny


lambda wrote:once again, it should be clear that he changed his mind. he said he wanted everyone to use ftp.
ghulam yaseen
Naik
 
Posts: 68
Joined: Thu Aug 07, 2008 6:09 pm
Location: karachi


Return to “%s” Security

Who is online

Users browsing this forum: No registered users and 1 guest

cron