When a client wants to download or upload a file, list a directory, or perform any other operation, it sends a command to the server. ProFTPD can be configured to restrict which commands a client can use for a particular virtual server or directory, or when logged in anonymously. However, before you can do this, you need to have a basic understanding of which FTP commands exist and what they do. Table 40.2 lists the ones that are relevant for access control purposes.
ProFTPD allows you to define options that only apply to particular client commands or groups of commands. Typically, this is used to deny access to certain operations, such as uploading by anonymous FTP users. It is also possible to allow or deny only certain UNIX users, or only clients connecting from certain addresses.
To create a new set of per-command options, follow these steps:
1. | First decide if the options should apply to commands only in a particular directory, only to clients of a virtual server, only to anonymous clients, or to all users of your FTP server. On the per-directory, virtual server, anonymous FTP, and main pages is a form titled Add per-command options for. In the FTP commands field, enter one or more commands from the list above, separated by spaces. When you hit the Create button, your browser will be taken to the page shown in Figure 40.5. Figure 40.5. The per-command options page.
| ||||||||||||||||||||||||||
2. | Click on the Access Control icon to bring up a form for restricting who can use these commands. | ||||||||||||||||||||||||||
3. | To completely deny access to everyone, change the Access control policy field to Deny all clients. To allow access to everyone, select Allow all clients instead. This is most useful if you are editing options for commands within a directory and there is a set of options for the same commands at a higher level (such as for the virtual server or anonymous FTP) that denies access. For example, anonymous clients cannot typically use the WRITE commands, but you may want to allow it for a particular directory. | ||||||||||||||||||||||||||
4. | |||||||||||||||||||||||||||
5. | |||||||||||||||||||||||||||
6. | The Restrict access table can be used to block clients from certain IP addresses by entering a series of rules. The three radio buttons at the top control the order in which entries in the table are evaluated. If Deny then allow is selected, any client that matches a Deny row or that does not match an Allow row will be blocked. Conversely, if Allow then deny is chosen only clients that match a Deny row and do not match an Allow row will be prevented from using the commands. This mode is also the default. The table will always have one empty row for adding a new rule, and because this is a new set of per-command options, that is all it will contain. In the empty row, select either Allow or Deny from the Action menu. Then from the Condition menu, choose one of the following to determine which clients match and thus are allowed or denied: All All clients match, no matter where they are from. None No clients match the rule. IP address Only clients from the IP address entered in the adjacent text field match. Network Only clients from the entered IP network match. The network address must be a partial IP with a trailing dot, like 192.168.1. Hostname Only clients whose IP address reverse resolves to the entered name match. You can specify an entire domain by putting a dot at the front, like .example.com. If you want to add more than one rule, you will need to re-enter this page after saving so that a new blank row appears. To delete a rule, select the blank option from the Action menu. | ||||||||||||||||||||||||||
7. | When you are done choosing who can use the FTP commands, hit the Save button. Then, return to the module's main page and click Apply Changes to make the restrictions active. | ||||||||||||||||||||||||||
8. | Once a set of options for a command or commands has been created, an icon for them will appear on the main page, virtual server options page, anonymous FTP page, or directory options page, depending on where you created it. You can click on this icon to bring up the same per-command options page again and use the icons and forms to make any changes that you wish. It is also possible to change the commands that the options apply to by clicking on the Configure Commands icon and selecting different entries from the FTP commands list on the form that appears. Then hit the Save button, then the Apply Changes button back on the module's main page. Alternately, you can click on Delete commands config to remove the options for these commands from the configuration entirely. |
3.19.245.64