-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hello all. Is there a way to block specific users from my vsftp server? Sometimes i find users uploading stuff that are outside the agreement, and i want to be able to DISCONNECT them as they are trying to. I tried blocking them inthe firewall by adding a DROP rule to the specific IP But the transfer stayed up. proftpd had nice features to view connected users and drop them at will. But as far as i can see vsftp hasnt got those. :( Anyone with a nice clue?
- --
/Rikard
- ------------------------------------------------------------------------------------ Rikard Johnels email : rjhn@linux.nu Web : http://www.rikjoh.com Mob : +46 70 464 99 39
- ------------------------ Public PGP fingerprint ---------------------------- < 15 28 DF 78 67 98 B2 16 1F D3 FD C5 59 D4 B6 78 46 1C EE 56 >
* Rikard Johnels (rjhn@linux.nu) [030531 15:02]:
Is there a way to block specific users from my vsftp server?
If they aren't anonymous users then sure, see the the chroot_list_enable section of vsftpd.conf(5). If they are anonymous then there's not a whole lot you can do.
Sometimes i find users uploading stuff that are outside the agreement, and i want to be able to DISCONNECT them as they are trying to. I tried blocking them inthe firewall by adding a DROP rule to the specific IP But the transfer stayed up.
Perhaps you blocked the control connection and not the data connection?
proftpd had nice features to view connected users and drop them at will. But as far as i can see vsftp hasnt got those. :(
No, it doesn't. Lack of feature creep is one of the reasons vsftpd doesn't have the miserable security history that proftpd has. It's a pretty straightforward shell script to write a utility like that, especially if these are not anonymous users.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Sunday 01 June 2003 03.48, Christopher Mahmood wrote:
- Rikard Johnels (rjhn@linux.nu) [030531 15:02]:
Is there a way to block specific users from my vsftp server?
If they aren't anonymous users then sure, see the the chroot_list_enable section of vsftpd.conf(5). If they are anonymous then there's not a whole lot you can do.
Sometimes i find users uploading stuff that are outside the agreement, and i want to be able to DISCONNECT them as they are trying to. I tried blocking them inthe firewall by adding a DROP rule to the specific IP But the transfer stayed up.
Perhaps you blocked the control connection and not the data connection?
proftpd had nice features to view connected users and drop them at will. But as far as i can see vsftp hasnt got those. :(
No, it doesn't. Lack of feature creep is one of the reasons vsftpd doesn't have the miserable security history that proftpd has. It's a pretty straightforward shell script to write a utility like that, especially if these are not anonymous users.
--
-ckm
I think i was a bit unclear in my question. I want to be able to "kill" a user as he/she is uploading.
I used the line: iptables -A INPUT -s xxx.xxx.xxx.xxx -d 0/0 --proto all -j DROP" to drop the connection, but it failed to kill the trensfer.
As for the shellscript to list connected users... (anonymous as well as users) How do i get about that? I am NOT a very good programmer.. In fact, i almost cant write code at all... (
I would want a script (eg. "ftp_drop" ) that would disconnect a specified user/IP from the ftp session. Also a "ftpwho" that lists the user and up/download status... Is this feasible att all? What "language" shall i use? Bash? Perl? Where can i find info on how to do that? (May not know how to write scripts like that, but eager to learn)
- --
/Rikard
- ------------------------------------------------------------------------------------ Rikard Johnels email : rjhn@linux.nu Web : http://www.rikjoh.com Mob : +46 70 464 99 39
- ------------------------ Public PGP fingerprint ---------------------------- < 15 28 DF 78 67 98 B2 16 1F D3 FD C5 59 D4 B6 78 46 1C EE 56 >
On Monday 02 June 2003 23.33, Rikard Johnels wrote:
I used the line: iptables -A INPUT -s xxx.xxx.xxx.xxx -d 0/0 --proto all -j DROP" to drop the connection, but it failed to kill the trensfer.
Hardly surprising. Try using -I instead of -A. If you're running the SuSEfirewall2, the packets will be in the input_ext chain long before your rule is hit if you use -A
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Monday 02 June 2003 23.36, Anders Johansson wrote:
On Monday 02 June 2003 23.33, Rikard Johnels wrote:
I used the line: iptables -A INPUT -s xxx.xxx.xxx.xxx -d 0/0 --proto all -j DROP" to drop the connection, but it failed to kill the trensfer.
Hardly surprising. Try using -I instead of -A. If you're running the SuSEfirewall2, the packets will be in the input_ext chain long before your rule is hit if you use -A
Idont use SuSEFirewall. Its a "cheat" i recieved from a friend. Not much rukes in it. Basic NAT and two redirects only...
modprobe iptable_nat modprobe ipt_MASQUERADE iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables -t nat -A PREROUTING -i eth0 -p tcp --destination-port 21 -j DNAT --to-destination xxx.xxx.xxx.xxx:21 iptables -t nat -A PREROUTING -i eth0 -p tcp --destination-port 80 -j DNAT --to-destination xxx.xxx.xxx.xxx:80
I know it aint the best one... I run the firewall on a Alpha, so the SuSEFirewall2 isnt (or wasnt) available when i set it up.
I am in the process or evaluating the 8.1 for AXP at the moment to see if it is usable on my Alphastation... I have been suggested a BSD wall, but i'd rather stay with SuSE if i can..
- --
/Rikard
- ------------------------------------------------------------------------------------ Rikard Johnels email : rjhn@linux.nu Web : http://www.rikjoh.com Mob : +46 70 464 99 39
- ------------------------ Public PGP fingerprint ---------------------------- < 15 28 DF 78 67 98 B2 16 1F D3 FD C5 59 D4 B6 78 46 1C EE 56 >
* Rikard Johnels (rjhn@linux.nu) [030602 14:33]:
As for the shellscript to list connected users... (anonymous as well as users) How do i get about that? I am NOT a very good programmer.. In fact, i almost cant write code at all... (
I would want a script (eg. "ftp_drop" ) that would disconnect a specified user/IP from the ftp session.
This should get you started, adding the kill-by-ip is left as an exercise to the reader (see netstat(8)):
On Sun, Jun 01, 2003 at 12:01:52AM +0200, Rikard Johnels Wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hello all. Is there a way to block specific users from my vsftp server? Sometimes i find users uploading stuff that are outside the agreement, and i want to be able to DISCONNECT them as they are trying to. I tried blocking them inthe firewall by adding a DROP rule to the specific IP But the transfer stayed up. proftpd had nice features to view connected users and drop them at will. But as far as i can see vsftp hasnt got those. :( Anyone with a nice clue?
/Rikard
Rikard Johnels email : rjhn@linux.nu Web : http://www.rikjoh.com Mob : +46 70 464 99 39
Use TCP wrappers...hosts.deny vsftpd : ALL and hosts.allow vsftpd : xxxx.xxxx.xxxx.xxxx the ip you want to allow.
-
Anders Johansson -
Christopher Mahmood -
Rikard Johnels -
Robert Sweet