-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello all. Is there a way to block specific users from my vsftp server? Sometimes i find users uploading stuff that are outside the agreement, and i want to be able to DISCONNECT them as they are trying to. I tried blocking them inthe firewall by adding a DROP rule to the specific IP But the transfer stayed up. proftpd had nice features to view connected users and drop them at will. But as far as i can see vsftp hasnt got those. :( Anyone with a nice clue? - -- /Rikard - ------------------------------------------------------------------------------------ Rikard Johnels email : rjhn@linux.nu Web : http://www.rikjoh.com Mob : +46 70 464 99 39 - ------------------------ Public PGP fingerprint ---------------------------- < 15 28 DF 78 67 98 B2 16 1F D3 FD C5 59 D4 B6 78 46 1C EE 56 > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux) iD8DBQE+2SZVWdS2eEYc7lYRAsHTAKDe/iolkv9hpVSME8GdzDi+SiKH0ACgqE2w YOZpizkOCNNLMbPhdfW2wnI= =hQOG -----END PGP SIGNATURE-----
* Rikard Johnels (rjhn@linux.nu) [030531 15:02]:
Is there a way to block specific users from my vsftp server?
If they aren't anonymous users then sure, see the the chroot_list_enable section of vsftpd.conf(5). If they are anonymous then there's not a whole lot you can do.
Sometimes i find users uploading stuff that are outside the agreement, and i want to be able to DISCONNECT them as they are trying to. I tried blocking them inthe firewall by adding a DROP rule to the specific IP But the transfer stayed up.
Perhaps you blocked the control connection and not the data connection?
proftpd had nice features to view connected users and drop them at will. But as far as i can see vsftp hasnt got those. :(
No, it doesn't. Lack of feature creep is one of the reasons vsftpd doesn't have the miserable security history that proftpd has. It's a pretty straightforward shell script to write a utility like that, especially if these are not anonymous users. -- -ckm
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sunday 01 June 2003 03.48, Christopher Mahmood wrote:
* Rikard Johnels (rjhn@linux.nu) [030531 15:02]:
Is there a way to block specific users from my vsftp server?
If they aren't anonymous users then sure, see the the chroot_list_enable section of vsftpd.conf(5). If they are anonymous then there's not a whole lot you can do.
Sometimes i find users uploading stuff that are outside the agreement, and i want to be able to DISCONNECT them as they are trying to. I tried blocking them inthe firewall by adding a DROP rule to the specific IP But the transfer stayed up.
Perhaps you blocked the control connection and not the data connection?
proftpd had nice features to view connected users and drop them at will. But as far as i can see vsftp hasnt got those. :(
No, it doesn't. Lack of feature creep is one of the reasons vsftpd doesn't have the miserable security history that proftpd has. It's a pretty straightforward shell script to write a utility like that, especially if these are not anonymous users.
--
-ckm I think i was a bit unclear in my question. I want to be able to "kill" a user as he/she is uploading.
I used the line: iptables -A INPUT -s xxx.xxx.xxx.xxx -d 0/0 --proto all -j DROP" to drop the connection, but it failed to kill the trensfer. As for the shellscript to list connected users... (anonymous as well as users) How do i get about that? I am NOT a very good programmer.. In fact, i almost cant write code at all... ( I would want a script (eg. "ftp_drop" ) that would disconnect a specified user/IP from the ftp session. Also a "ftpwho" that lists the user and up/download status... Is this feasible att all? What "language" shall i use? Bash? Perl? Where can i find info on how to do that? (May not know how to write scripts like that, but eager to learn) - -- /Rikard - ------------------------------------------------------------------------------------ Rikard Johnels email : rjhn@linux.nu Web : http://www.rikjoh.com Mob : +46 70 464 99 39 - ------------------------ Public PGP fingerprint ---------------------------- < 15 28 DF 78 67 98 B2 16 1F D3 FD C5 59 D4 B6 78 46 1C EE 56 > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux) iD8DBQE+28LJWdS2eEYc7lYRArE1AKDCQvLa6dxQPEnJAT2g46JeekMzpACguUdU 9CpLOaYYpM80CeNgSkp2Z5A= =C2xP -----END PGP SIGNATURE-----
On Monday 02 June 2003 23.33, Rikard Johnels wrote:
I used the line: iptables -A INPUT -s xxx.xxx.xxx.xxx -d 0/0 --proto all -j DROP" to drop the connection, but it failed to kill the trensfer.
Hardly surprising. Try using -I instead of -A. If you're running the SuSEfirewall2, the packets will be in the input_ext chain long before your rule is hit if you use -A
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Monday 02 June 2003 23.36, Anders Johansson wrote:
On Monday 02 June 2003 23.33, Rikard Johnels wrote:
I used the line: iptables -A INPUT -s xxx.xxx.xxx.xxx -d 0/0 --proto all -j DROP" to drop the connection, but it failed to kill the trensfer.
Hardly surprising. Try using -I instead of -A. If you're running the SuSEfirewall2, the packets will be in the input_ext chain long before your rule is hit if you use -A
Idont use SuSEFirewall. Its a "cheat" i recieved from a friend. Not much rukes in it. Basic NAT and two redirects only... modprobe iptable_nat modprobe ipt_MASQUERADE iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables -t nat -A PREROUTING -i eth0 -p tcp --destination-port 21 -j DNAT --to-destination xxx.xxx.xxx.xxx:21 iptables -t nat -A PREROUTING -i eth0 -p tcp --destination-port 80 -j DNAT --to-destination xxx.xxx.xxx.xxx:80 I know it aint the best one... I run the firewall on a Alpha, so the SuSEFirewall2 isnt (or wasnt) available when i set it up. I am in the process or evaluating the 8.1 for AXP at the moment to see if it is usable on my Alphastation... I have been suggested a BSD wall, but i'd rather stay with SuSE if i can.. - -- /Rikard - ------------------------------------------------------------------------------------ Rikard Johnels email : rjhn@linux.nu Web : http://www.rikjoh.com Mob : +46 70 464 99 39 - ------------------------ Public PGP fingerprint ---------------------------- < 15 28 DF 78 67 98 B2 16 1F D3 FD C5 59 D4 B6 78 46 1C EE 56 > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux) iD8DBQE+28ZKWdS2eEYc7lYRAs9XAJ9WV8ONBEbnFjXLj9wOZW0Ag4iDtwCgl7di /7RKSqic+5WJelLkz+l7M/U= =vd0j -----END PGP SIGNATURE-----
* Rikard Johnels (rjhn@linux.nu) [030602 14:33]:
As for the shellscript to list connected users... (anonymous as well as users) How do i get about that? I am NOT a very good programmer.. In fact, i almost cant write code at all... (
I would want a script (eg. "ftp_drop" ) that would disconnect a specified user/IP from the ftp session.
This should get you started, adding the kill-by-ip is left as an exercise to the reader (see netstat(8)): -- #!/bin/bash export PATH="/bin:/usr/bin:/sbin:/usr/sbin" export LANG="en_US" if [ -z "$*" ]; then echo "usage: $(basename $0) user_1 user_2 ... user_n" ; exit 1 fi for user in ${*}; do ps aux | egrep ^${user}.*[v]sftpd | awk '{print $2}' | \ while read pid; do su $user -c "kill ${pid}" && echo "killed $user" done done -- Some explanation. Finding the pid and then killing it is a little a risky since there's a chance that the user could have closed the connection and the kernel already recycled the pid to another process. Having kill run as the user instead of root minimizes the damage that might be done in this very improbable but possible case--at worst the user really will have a new process with the same pid and you kill that accidentally. -- -ckm
On Sun, Jun 01, 2003 at 12:01:52AM +0200, Rikard Johnels Wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hello all. Is there a way to block specific users from my vsftp server? Sometimes i find users uploading stuff that are outside the agreement, and i want to be able to DISCONNECT them as they are trying to. I tried blocking them inthe firewall by adding a DROP rule to the specific IP But the transfer stayed up. proftpd had nice features to view connected users and drop them at will. But as far as i can see vsftp hasnt got those. :( Anyone with a nice clue?
- --
/Rikard
- ------------------------------------------------------------------------------------ Rikard Johnels email : rjhn@linux.nu Web : http://www.rikjoh.com Mob : +46 70 464 99 39
Use TCP wrappers...hosts.deny vsftpd : ALL and hosts.allow vsftpd : xxxx.xxxx.xxxx.xxxx the ip you want to allow. -- _ _ __ _____ _____ ___| |_ | '__| / __\ \ /\ / / _ \/ _ \ __| -o) | | _ \__ \\ V V / __/ __/ |_ /\\ |_|(_) |___/ \_/\_/ \___|\___|\__|_\_v rsweet@garagenetworks.net "there's no love in fear."
participants (4)
-
Anders Johansson -
Christopher Mahmood -
Rikard Johnels -
Robert Sweet