Limit access to FTP via IP

[rfrazier]

I'm trying to restrict access to my pure-ftp server from all ip address with the exception of a couple ip's. I'm running FreeBSD 7.2 and I've tried editing the hosts.allow file with following:

# Provide a small amount of protection for ftpd
ftpd : localhost : allow
#ftpd : .nice.guy.example.com : allow
#ftpd : .evil.cracker.example.com : deny
ftpd : ALL : deny
#ftpd : ALL : allow
ftpd : xx.xx.xx.101 : allow

The ip listed as xx.xx.xx.101 is one of the ips that I want to be able to access the ftp server.

Any suggestions?

 

[DutchDaemon]

Is pure-ftp even tcpwrapper-aware, or are you running it from inetd -w? Does anything happen when you play with these rules?

 

[DutchDaemon]

And do not double-post.

 

[rfrazier]

Sorry about post, I thought I was more appropriate in the Firewall forum.

Everything was commented out in /etc/inetd.conf previously so I'm not sure how if its tcp-wrapper aware. How can I tell? I'm fairly new at this admin stuff and I appreciate the help.

 

[rfrazier]

And no nothing happens when I "play with the settings". I've tried it a number of ways.

 

[DutchDaemon]

Find the pure-ftp binary (probably in /usr/local/bin or /usr/local/sbin), and run ldd on it. Something like ldd /usr/local/bin/pureftpd | grep wrap. If you get 'libwrap' it's compiled with tcpwrapper support. If not, using /etc/hosts.allow has no point when you run proftpd in daemon (standalone) mode. You'll either have to recompile it with tcpwrapper support, or run it from inetd (itself started with the -w flag).

Or use a firewall, of course, which is probably better anyway.