How to allow FTP in hosts.allow

Protecting your Linux box
Post Reply
Learner
Lance Naik
Posts: 41
Joined: Wed Nov 08, 2006 2:40 am

How to allow FTP in hosts.allow

Post by Learner »

AOA

Dear All !

I am using FreeBSD 6.2. I am facing a problem that my machine is reports me a number of invalid user attempts from outside. I want to secure it by using "hosts.allow", but when i do this my FTP services also stop working. The FTP server package is "vsftpd".

Please guide ...
Thanks & Regards


Muhammad Ali
lambda
Major General
Posts: 3452
Joined: Tue May 27, 2003 7:04 pm
Location: Lahore
Contact:

Post by lambda »

what have you tried to do?
Watch out for the Manners Taliban!
Isn't it amazing how so many people can type "linuxpakistan.net" into their browsers but not "google.com"?
Learner
Lance Naik
Posts: 41
Joined: Wed Nov 08, 2006 2:40 am

Post by Learner »

Dear Lambda !

Thanks for the reply.

What I have done is a little change in "hosts.allow". That is


# Start by allowing everything (this prevents the rest of the file
# from working, so remove it when you need protection).
# The rules here work on a "First match wins" basis.
##ALL : ALL : allow (Changed)

# Wrapping sshd(8) is not normally a good idea, but if you
# need to do it, here's how
#sshd : .evil.cracker.example.com : deny
sshd : 192.168.1.6,192.168.1.7 : allow ##(Changed)
sshd : ALL : deny ##(Changed)

Just uncommected two lines ...
Thanks & Regards


Muhammad Ali
lambda
Major General
Posts: 3452
Joined: Tue May 27, 2003 7:04 pm
Location: Lahore
Contact:

Post by lambda »

add something like

Code: Select all

vsftpd : 192.168.0.1/24 : allow
to allow access from that network. by commenting out the "ALL" entry, you've pretty much disabled all services by default.
Watch out for the Manners Taliban!
Isn't it amazing how so many people can type "linuxpakistan.net" into their browsers but not "google.com"?
Learner
Lance Naik
Posts: 41
Joined: Wed Nov 08, 2006 2:40 am

Post by Learner »

AOA

Dear Lambda !

Thanks for the reply. I have tried it, I want to make FTP available for all. The option I used is

vsftpd : localhost : allow
vsftpd : ALL : allow

Now its working, thanks once again for the guidance.
Thanks & Regards


Muhammad Ali
lambda
Major General
Posts: 3452
Joined: Tue May 27, 2003 7:04 pm
Location: Lahore
Contact:

Post by lambda »

you need just the second entry, not both.
Watch out for the Manners Taliban!
Isn't it amazing how so many people can type "linuxpakistan.net" into their browsers but not "google.com"?
shahzor
Naik
Posts: 72
Joined: Thu Jun 29, 2006 11:33 am
Location: Quetta
Contact:

Post by shahzor »

but how did you secure it, din't get this point. if its

vsftpd : ALL : allow

then who is not allowed.

thanks
LinuxBoy
lambda
Major General
Posts: 3452
Joined: Tue May 27, 2003 7:04 pm
Location: Lahore
Contact:

Post by lambda »

read his last post again. he says
I have tried it, I want to make FTP available for all.
Watch out for the Manners Taliban!
Isn't it amazing how so many people can type "linuxpakistan.net" into their browsers but not "google.com"?
x2oxen
Major General
Posts: 1114
Joined: Wed Aug 22, 2007 3:17 pm
Location: Faisalabad
Contact:

Post by x2oxen »

Is there any way to stop something like dictionary attack on ftp service??
Muhammad Usman
+92-321-6640501
Chemonics International
http://usmanpk.com
shahzor
Naik
Posts: 72
Joined: Thu Jun 29, 2006 11:33 am
Location: Quetta
Contact:

Re: How to allow FTP in hosts.allow

Post by shahzor »

Learner wrote: I want to secure it by using "hosts.allow"
Please guide ...
it was just about the above line, when you want to secure it by hosts.allow then should have a IP address or a subnet to be allowed and deny every one else if you say allow every one then you can't say that you are going to secure it.


thanks
shahz
LinuxBoy
lambda
Major General
Posts: 3452
Joined: Tue May 27, 2003 7:04 pm
Location: Lahore
Contact:

Post by lambda »

once again, it should be clear that he changed his mind. he said he wanted everyone to use ftp.
Watch out for the Manners Taliban!
Isn't it amazing how so many people can type "linuxpakistan.net" into their browsers but not "google.com"?
ghulam yaseen
Naik
Posts: 68
Joined: Thu Aug 07, 2008 6:09 pm
Location: karachi

regarding stopping dictionary attacks on ftp

Post by ghulam yaseen »

Hello :);

Please follow the following steps to stops the dictionary attacks on the ftp server

1. Create the group 'www' with r/w privileges to the /srv/www/htdocs folder (the website folder) if it doesn't exist already.
2. Create the user 'ftp_remote_admin' and have it belong in the group
'www' (So it will have r/w access to the http server folder.) Also, set the users home folder to /srv/www/htdocs.
3. Restrict access to only those who login (No anonymous), and only to the user 'ftp_remote_admin' via the vsftpd config file.
4. Set vsftpd.conf to move users into their home folder on login.

Regards,
Ghulam Yaseen
x2oxen wrote:Is there any way to stop something like dictionary attack on ftp service??
ghulam yaseen
Naik
Posts: 68
Joined: Thu Aug 07, 2008 6:09 pm
Location: karachi

regarding allow only one host and reject all

Post by ghulam yaseen »

It is also possible that we restrict all others except one user

vsftpd:IP_address: Allow
vsftpd:ALL:Deny

lambda wrote:once again, it should be clear that he changed his mind. he said he wanted everyone to use ftp.
Post Reply