HPE Community
Operating System - HP-UX
1826056 Members
4085 Online
109690 Solutions
New Discussion

Restriction on ftp conection

 
SOLVED
Go to solution
Arturo Perez del Galleg
Frequent Advisor

‎01-14-2003 03:27 AM

‎01-14-2003 03:27 AM

Restriction on ftp conection

Hi all!
It's possible to perform a ftp connection from host1 to host2, but only with user1?
Namely, if the user2 try to connect from host1, the connection is refused; but user2 is able to perform ftp connections from an other host (host3).
TIA
0 Kudos
Reply
12 REPLIES 12
Jose Mosquera
Honored Contributor

‎01-14-2003 03:41 AM

‎01-14-2003 03:41 AM

Re: Restriction on ftp conection

Hi,

If you are on 11.0 you need define /etc/ftpd/ftpaccess, inside of this file you must be include users that couldn't be ftp connection, each line in this file must contain just user name. For detailed info:
#man ftpusers

Rgds.
0 Kudos
Reply
Arturo Perez del Galleg
Frequent Advisor

‎01-14-2003 03:48 AM

‎01-14-2003 03:48 AM

Re: Restriction on ftp conection

I known this option, but this not resolve my problem, i want to restrict the user1 to perform ftp from a particular host (host1) an only from here to the server (host2).
TIA
0 Kudos
Reply
Jose Mosquera
Honored Contributor

‎01-14-2003 03:56 AM

‎01-14-2003 03:56 AM

Re: Restriction on ftp conection

Hi Again,

Try with de /var/adm/inetd.sec ftp "allow|deny" service configuration.
#man inetd.sec

Rgds.
0 Kudos
Reply
Tim Maletic
Valued Contributor

‎01-14-2003 05:57 AM

‎01-14-2003 05:57 AM

Re: Restriction on ftp conection

I still don't understand your goal. Here are some of the ways I can interpret your goal:

1) You want to make it so that user1 on host1 can ftp to host2, but not to any other host.

This sounds impossible, unless you are severely restricting user1's access to a shell.

2) You want to allow user1 on host1 to use an ftp client, but disallow any other user on host1 from using an ftp client.

Again, this is client-side ftp restrictions, which will be impossible if the user can run a shell (since they could then install their own client, etc.).

3) On host2, you want to allow user1 from host1, but disallow user2 from host1.

As Jose points out, this is accomplished via ftpusers(4).

But this method won't work if you want host2 to accept ftp connections from user2 on host3. If this is what you need, you may be in trouble. I don't see a solution to it off the top of my head, at any rate. wu-ftpd (HP-UX's standard ftp server, as of late) supports denying hosts, and it supports denying users, but I don't think it supports denying specific users of specific hosts. [Someone please correct me if I'm wrong.]

Maybe if you tell us *why* you want to do this, we can be of more assistance.

-Tim
0 Kudos
Reply
Arturo Perez del Galleg
Frequent Advisor

‎01-14-2003 06:58 AM

‎01-14-2003 06:58 AM

Re: Restriction on ftp conection

Hi Tim & Jose Mari!
A lot of thanks!
Tim as you says my problem is the point 3 of your exposition.
We want to create an ftp users with restrictions by machine, directory access, etc. for a punctual purpose. But for this test we must to enable the access to our server from an other host out of "habitual network". We want no access from this external hosts with an other user that the specified. We desire to controle this. We have checked ftpaccess, ftpd, ftp an others commands but...
No ideas?
TIA
0 Kudos
Reply
Ken Hubnik_2
Honored Contributor

‎01-14-2003 07:03 AM

‎01-14-2003 07:03 AM

Re: Restriction on ftp conection

You can allow and deny ftp in /var/adm/inetd.sec file by IP address or hostname.
0 Kudos
Reply
Tim Maletic
Valued Contributor

‎01-14-2003 11:12 AM

‎01-14-2003 11:12 AM

Re: Restriction on ftp conection

Well, if you only want one user on this external host to access your server, create an account for them, and only give that user the password.

If the problem is that your external user's username conflicts with a local user's username, then create a new one for the external user.

You're not talking about anonymous FTP, are you?

Are you worried about restricting access to your server by a mere password? (If so, consider sshd, sftp, and public key authentication.)

I still don't feel I've grasped your problem. Am I getting closer?
0 Kudos
Reply
Arturo Perez del Galleg
Frequent Advisor

‎01-14-2003 11:08 PM

‎01-14-2003 11:08 PM

Re: Restriction on ftp conection

OK, i create the username with anonymous ftp or ftp restrictions, but the user has an other proper account (his account) and for this punctual action i don't want he use it from the commented host. The user has two accounts (user1 & user2) and one host (host1) but he must use only the account with restrictions (for this punctual action).
I think that isn't possible.
I don't know it's full explained...
Thanks
0 Kudos
Reply
David_246
Trusted Contributor

‎01-15-2003 04:31 AM

‎01-15-2003 04:31 AM

Re: Restriction on ftp conection

Just to re-capatelize;

Use /var/adm/inetd.sec to deny/allow ip-adresses or subnets for ftp :

ftp allow 1.2.3.4 2.3.4.45-68 host1 host2

Use /etc/ftpd/ftpaccess to set rules :
class local real,guest,anonymous *.domain 0.0.0.0
class remote real,anonymous *
class remote guest /etc/ftpd/ftp_in.allow ## Put in your ip-adres from host1
## Don't know if you can define class --> user1 here.

Use /etc/ftpusers to allow only these users :
user1 Should not be in the file, as he is allowed to ftp!! root should be.

Use /etc/passwd to only allow ftp for this user:
user1:*:1001:401:User1 ftp acount:/ftp/ftp_in:/usr/bin/false

I think these are about the options you have. Maybe this makes it some easier to see what you can and what you can't. I confirm an easier use of allow/deny user/hosts would be preffered.

Regs David
@yourservice
0 Kudos
Reply
Keith Buck
Respected Contributor

‎01-15-2003 05:40 AM

‎01-15-2003 05:40 AM

Re: Restriction on ftp conection

Maybe a bit off topic, but all of these restrictions are available if you configure sftp instead of ftp. You can do configuration by user and by host or a combination. (personally I prefer scp because it's easier to script)

As several of the responses indicate, you may be able to rig something using regular ftp (well, sort of). However, each of these methods fundamentally rely on ip-based authentication (claiming to be user1 from host2 is sufficient to 'prove' that you are user1 from host2). ip-based authentication is fundamentally easy to beat, so if you don't trust the other user on your network to play nicely, then all of your efforts are in vain anyway.

scp/sftp use a fundamentally more secure authentication technique in addition to being more configurable. hp-ux secure shell would need to be installed on host1, host2, and host3, and if you want more details on configuring these, there are lots of people on this forum who can help there too.

Hope that helps
Reply
Shannon Petry
Honored Contributor

‎01-15-2003 05:47 AM

‎01-15-2003 05:47 AM

Solution

Re: Restriction on ftp conection

This functionality is also available with tcp wrappers. It is the big brother to inetd.sec, and allows user@host rules as well as host rules.

I used to use TCP wrappers in HP-UX 10, but this was 3 years ago. Perhaps tcp wrappers has been updated for 11.x of HP-UX.

Regards,
Shannon
Microsoft. When do you want a virus today?
Reply
Arturo Perez del Galleg
Frequent Advisor

‎01-15-2003 06:46 AM

‎01-15-2003 06:46 AM

Re: Restriction on ftp conection

Hi all!
Thank you very much!
The functionality Shannon comments, the combination user@host rule, is the solution. It is no easy to implement, but...
Bye!
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.