https://community.hpe.com/t5/operating-system-linux/need-small-help-on-ftp-access/m-p/3843720#M24700 Shalom Girish,<BR /><BR />If the user always has the same host name you can deny access based on ip address with iptables, only on ports 20 and 21.<BR /><BR />You control this with vsftpd.conf<BR /><BR /><A href="http://vsftpd.beasts.org/vsftpd_conf.html" target="_blank">http://vsftpd.beasts.org/vsftpd_conf.html</A><BR /><A href="http://elibrary.fultus.com/technical/topic/com.fultus.redhat.elinux4/manuals/rhel-rg-en-4/s2-ftp-vsftpd-conf.html" target="_blank">http://elibrary.fultus.com/technical/topic/com.fultus.redhat.elinux4/manuals/rhel-rg-en-4/s2-ftp-vsftpd-conf.html</A><BR /><BR />SEP Tue, 15 Aug 2006 12:23:41 GMT Steven E. Protter 2006-08-15T12:23:41Z https://community.hpe.com/t5/operating-system-linux/need-small-help-on-ftp-access/m-p/3843719#M24699 Hi, <BR /><BR />I have vsftp server installed on SUSE Linux 9.0 OS. <BR /><BR />I need to deny ftpuser (its a user account) all the access services except performing ftp to the server.<BR /><BR />Please scrap in with the solutions.<BR /><BR />Thanks in advance.<BR /><BR />Girish<BR /><BR /><BR /><BR /> Tue, 15 Aug 2006 11:04:14 GMT https://community.hpe.com/t5/operating-system-linux/need-small-help-on-ftp-access/m-p/3843719#M24699 girishb 2006-08-15T11:04:14Z https://community.hpe.com/t5/operating-system-linux/need-small-help-on-ftp-access/m-p/3843720#M24700 Shalom Girish,<BR /><BR />If the user always has the same host name you can deny access based on ip address with iptables, only on ports 20 and 21.<BR /><BR />You control this with vsftpd.conf<BR /><BR /><A href="http://vsftpd.beasts.org/vsftpd_conf.html" target="_blank">http://vsftpd.beasts.org/vsftpd_conf.html</A><BR /><A href="http://elibrary.fultus.com/technical/topic/com.fultus.redhat.elinux4/manuals/rhel-rg-en-4/s2-ftp-vsftpd-conf.html" target="_blank">http://elibrary.fultus.com/technical/topic/com.fultus.redhat.elinux4/manuals/rhel-rg-en-4/s2-ftp-vsftpd-conf.html</A><BR /><BR />SEP Tue, 15 Aug 2006 12:23:41 GMT https://community.hpe.com/t5/operating-system-linux/need-small-help-on-ftp-access/m-p/3843720#M24700 Steven E. Protter 2006-08-15T12:23:41Z https://community.hpe.com/t5/operating-system-linux/need-small-help-on-ftp-access/m-p/3843721#M24701 Just use for that user a shell which only allows ftp. For instance, you could have in /etc/passwd:<BR />ftp:x:14:50:FTP User:/archives/arhive:/sbin/nologin<BR /><BR />Depending on your needs, you could also chroot the user in its home dir (see the man page). Please also verify if you need (or not) to add the shell you setup for that user to the file /etc/shells.<BR /><BR />A secondary line of securing is tcp_wrappers (controlling access to daemons via /etc/hosts.{allow,deny}.<BR />And last but not least, iptables, as has already been suggested. However, please DO NOT use the old and incorrect way of allowing ports 20 and 21; the correct way is to allow port 21 and use the connection tracking facilities of iptables (-m state --state RELATED,ESTABLISHED) which will allow both active and passive ftp to function (unlike the port 20/21 variant). Just make sure the relevant conntrack modules are loaded.<BR /> Tue, 15 Aug 2006 19:15:58 GMT https://community.hpe.com/t5/operating-system-linux/need-small-help-on-ftp-access/m-p/3843721#M24701 Manuel Wolfshant 2006-08-15T19:15:58Z