Securing Proftpd

[andrewlondon]

Since i restricted access to ssh to my ip addresses i've now started to get someone try and login via proftpd. Because of this i'm now trying to secure this a bit.

For the moment i'm going to restrict access to my server to a few of the ip's i use at work and home. I was also wondering if users are jailed to a specific directory by default on a plesk vps or if i will have to do it manually?

If i do both these things what else can i do to protect myself?

Thanks

[Vin DSL]

Well, if I'm reading your intentions correctly, I do something similar using my root .htaccess file...

Since I don't know EXACTLY what you're asking, I'll simply show you the rule I use:

Code:

# Protect files from direct execution by anybody but myself.
<FilesMatch "(auth|admin|banners|config|footer|header|mainfile)\.php$">
  Order Deny,Allow
  Deny from all
  Allow from 123.45.0.0/16
</FilesMatch>

This keeps anyone but me from executing certain files on 'my' server. The IP range I allow is basically anything at my ISP, since I have a dynamic IP through them.

Anyway, you would have to custom taylor this to your own situation, but it works for me!

[Vin DSL]

Maybe this will help, since you're on VPS...

Source: http://www.proftpd.org/docs/configs/anonymous.conf

Code:

  # Deny access from *.evil.net and *.otherevil.net, but allow
  # all others.
  <Limit LOGIN>
    Order			deny,allow
    Deny 			from .evil.net, .otherevil.net
    Allow			from all
  </Limit>

Perhaps something like...

Code:

  # Deny access from all, but allow from yourself.
  <Limit LOGIN>
    Order			deny,allow
    Deny 			from all
    Allow			from 123.45.0.0/16
  </Limit>

[andrewlondon]

Code:

  # Deny access from all, but allow from yourself.
  <Limit LOGIN>
    Order			deny,allow
    Deny 			from all
    Allow			from 123.45.0.0/16
  </Limit>

I added something similar, well i added exactly that to my proftpd.conf file and it blocked all connections to ftp?

[Vin DSL]

Sorry! I'm just throwing out ideas, for the sake of conversation. I don't have VPS, so there's no way for me to independently test the results...

Um.. you're using your IP range, right, not 123.45...

[andrewlondon]

Sorry! I'm just throwing out ideas, for the sake of conversation. I don't have VPS, so there's no way for me to independently test the results...

Um.. you're using your IP range, right, not 123.45...

I was using specific IP's. Will it not work like that?

[Vin DSL]

I was using specific IP's. Will it not work like that?

Yep, it should... I just use a b-block to keep things simple!

[andrewlondon]

I just use a b-block to keep things simple!

You'll have to explain yourself sir. I have no idea what a b-block is..

[Vin DSL]

Sorry!

A slash 16... Class B block...

[Vin DSL]

Maybe that didn't make sense either...

123.45.0.0/16 would mean 123.45.0.0 - 123.45.255.255 would be allowed.

123.45.0.0/16 (123.45.0.0 'slash 16') = Class B block

123.45.0.0 - 123.45.255.255 = Class B block

Make sense now?

[Vin DSL]

I did that off the top of my head, and I was worried I had the range wrong...

So, I found a nice little online cider calc:

http://grox.net/utils/whatmask/


Here are the results...

Code:

------------------------------------------------
           TCP/IP NETWORK INFORMATION
------------------------------------------------
IP Entered = ..................: 123.45.0.0
CIDR = ........................: /16
Netmask = .....................: 255.255.0.0
Wildcard Bits = ...............: 0.0.255.255
------------------------------------------------
Network Address = .............: 123.45.0.0
Broadcast Address = ...........: 123.45.255.255
Usable IP Addresses = .........: 65534
First Usable IP Address = .....: 123.45.0.1
Last Usable IP Address = ......: 123.45.255.254

[jason]

Vin is giving you Apache configuration rules that can be used to limit access via http. Since you are asking about limiting ftp connections, you'll need to find documentation on proftpd. I'm sure that proftpd has similar capabilities, but Apache access rules aren't going to work.

This page might help you out. It looks like Pro's directives are similar to Apache's, but a little different: http://www.proftpd.org/docs/directiv...d/by-name.html

--Jason

[Vin DSL]

Vin is giving you Apache configuration rules that can be used to limit access via http... I'm sure that proftpd has similar capabilities, but Apache access rules aren't going to work...

The .htaccess rule, that was shown, was to exemplify the concept. The second set of rules WAS taken directly from the ProFTPd web site -- but it did NOT differ much from the .htaccess example IMHO, e.g. same concept.

Sorry for not including a source link, but I figured he would drill down from the page I provided. Heh! Never assume...

Wait a minute... I did provide a link!

[jason]

Wait a minute... I did provide a link!

And I somehow skimmed over your second post without reading it...oh well...

--Jason

[Ron]

That's easy to do...