40.12. Restricting Access to FTP Commands

When a client wants to download or upload a file, list a directory, or perform any other operation, it sends a command to the server. ProFTPD can be configured to restrict which commands a client can use for a particular virtual server or directory, or when logged in anonymously. However, before you can do this, you need to have a basic understanding of which FTP commands exist and what they do. Table 40.2 lists the ones that are relevant for access control purposes.

ProFTPD allows you to define options that only apply to particular client commands or groups of commands. Typically, this is used to deny access to certain operations, such as uploading by anonymous FTP users. It is also possible to allow or deny only certain UNIX users, or only clients connecting from certain addresses.

To create a new set of per-command options, follow these steps:

1.
First decide if the options should apply to commands only in a particular directory, only to clients of a virtual server, only to anonymous clients, or to all users of your FTP server. On the per-directory, virtual server, anonymous FTP, and main pages is a form titled Add per-command options for. In the FTP commands field, enter one or more commands from the list above, separated by spaces. When you hit the Create button, your browser will be taken to the page shown in Figure 40.5.

Figure 40.5. The per-command options page.


Table 40.2. FTP Commands and Their Purposes
CWDChange to a different current working directory (Like the UNIX cd command)
MKDCreate a new empty directory (Like the UNIX mkdir command)
RNFRRename an existing file or directory (Like the mv command)
DELEDelete a file (Like the rm command)
RMDDelete a directory, which must be empty (Like the rmdir command)
RETRDownload a file from the server to client
STORUpload a file from the client to server
SITE_CHMODChange the UNIX permissions on a file
READThis is not a command, but a shorthand for all FTP commands that deal with file reading
WRITEAgain, this is not a command but a shorthand for all commands for writing or modifying files
DIRSThis is shorthand for all directory listing and movement commands
LOGINThis one is not really an FTP command at all, but is used to represent client connections. See Section 40.15 “Restricting Clients by IP Address” for information on how to use it
ALLRepresents all FTP commands

2.
Click on the Access Control icon to bring up a form for restricting who can use these commands.

3.
To completely deny access to everyone, change the Access control policy field to Deny all clients. To allow access to everyone, select Allow all clients instead. This is most useful if you are editing options for commands within a directory and there is a set of options for the same commands at a higher level (such as for the virtual server or anonymous FTP) that denies access. For example, anonymous clients cannot typically use the WRITE commands, but you may want to allow it for a particular directory.

4.
To only allow certain UNIX users or members of a certain group access to the commands, fill in the Only allow users and Only allow group fields. Multiple user or group names must be entered separated by spaces.

5.
Certain users and groups can be denied while allowing everyone else access to the FTP commands, by filling in the Deny users and Deny groups fields.

6.
The Restrict access table can be used to block clients from certain IP addresses by entering a series of rules. The three radio buttons at the top control the order in which entries in the table are evaluated. If Deny then allow is selected, any client that matches a Deny row or that does not match an Allow row will be blocked. Conversely, if Allow then deny is chosen only clients that match a Deny row and do not match an Allow row will be prevented from using the commands. This mode is also the default.

The table will always have one empty row for adding a new rule, and because this is a new set of per-command options, that is all it will contain. In the empty row, select either Allow or Deny from the Action menu. Then from the Condition menu, choose one of the following to determine which clients match and thus are allowed or denied:

All All clients match, no matter where they are from.

None No clients match the rule.

IP address Only clients from the IP address entered in the adjacent text field match.

Network Only clients from the entered IP network match. The network address must be a partial IP with a trailing dot, like 192.168.1.

Hostname Only clients whose IP address reverse resolves to the entered name match. You can specify an entire domain by putting a dot at the front, like .example.com.

If you want to add more than one rule, you will need to re-enter this page after saving so that a new blank row appears. To delete a rule, select the blank option from the Action menu.

7.
When you are done choosing who can use the FTP commands, hit the Save button. Then, return to the module's main page and click Apply Changes to make the restrictions active.

8.
Once a set of options for a command or commands has been created, an icon for them will appear on the main page, virtual server options page, anonymous FTP page, or directory options page, depending on where you created it. You can click on this icon to bring up the same per-command options page again and use the icons and forms to make any changes that you wish. It is also possible to change the commands that the options apply to by clicking on the Configure Commands icon and selecting different entries from the FTP commands list on the form that appears. Then hit the Save button, then the Apply Changes button back on the module's main page. Alternately, you can click on Delete commands config to remove the options for these commands from the configuration entirely.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.135.195.249