• The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

doesn't work ftp in hosts.allow (deny)

A

Andrew65

New Pleskian
etc/proftpd.conf
ServerName "ProFTPD"
ServerType inetd
.....
---------
etc/xinetd.d/ftp_psa
service ftp
{
disable = no
socket_type = stream
protocol =tcp
instances = UNLIMITED
wait = no
user = root
server = /usr/sbin/in.proftpd
server_args = -c /etc/proftpd.conf
}
-----------------
etc/hosts.deny
sshd : ALL
ftp : ALL

------------------
etc/hosts.allow
sshd : xxx.xxx.xxx.xxx
ftp : xxx.xxx.xxx.xxx

---------------------
Restrictions fo ssh access work
Restrictions fo ftp access doesn't work
 
@Andrew65,

Please use the firewall to restrict access, this is more easy and less error-prone.

By the way, do note that your hosts.deny and hosts.allow files actually result in nothing, since they are in conflict (particularly due to the host.deny file).

Kind regards...
 
trialotto said:
@Andrew65,

By the way, do note that your hosts.deny and hosts.allow files actually result in nothing, since they are in conflict (particularly due to the host.deny file).
Click to expand...

And in what the conflict and in what a problem with the host.deny file?

var/log/secure
Jul 31 18:35:48 qqqqqqq sshd[3335]: refused connect from 125.122.56.141 (125.122.56.141)
Jul 31 10:14:39 qqqqqqq proftpd[27064]: qqqqqqq (27.198.26.247[27.198.26.247]) - USER anonymous: no such user found from 27.198.26.247 [27.198.26.247] to qqqqqqqq:21
Jul 31 11:58:38 qqqqqqq proftpd[29472]: qqqqqqq (213.141.134.100[213.141.134.100]) - USER user: Login successful
--------------------

125.122.56.141, 27.198.26.247, 213.141.134.100 not xxx.xxx.xxx.xxx

sshd : ALL in hosts.deny - work
ftp : ALL in hosts.deny - doesn't work. Why?
 
Last edited:
@Andrew65,

First of all, understand the process of hosts.deny and hosts.allow:

- if allowed in hosts.allow, just allow (and no check of hosts.deny),
- if not matched in hosts.allow, check hosts.deny,
- if matched in hosts.deny, deny access,
- if not matched in hosts.deny, allow access.

A simple process and very "dangerous", since often settings are not defined properly, with the undesired result that particular forms of access are still granted.

In your case, given the above mentioned process, the following is present:

a) sshd : xxx.xxx.xxx.xxx from hosts.allow is granted access, all other are not granted access due to the ALL in hosts.deny, AND

b) misconfiguration in both host.deny and host.allow file, since proftpd is the default name to be used (and not "ftp"), AND

c) more important, the standard proftpd package, as associated with Plesk, does not contain the mod_wrap module required for using a setup that checks hosts.deny and hosts.allow.

You can certainly try to complile your own version of proftpd, with the mod_wrap module included.

The custom compiled will work in a Plesk installation, but you do not have the convenience of upgrades and micro-updates and custom compilations can be buggy sometimes.

Furthermore, if you do want to use a custom compilation of proftpd, be aware and certain that you have to

1) declare the line "TCPAccessFiles /etc/hosts.allow /etc/hosts.deny" in /etc/proftpd.conf, AND

2) (optionally) declare a custom service name with the line "TCPServiceName ftp" ("ftp" is used as an example, it could be anything) in /etc/proftpd.conf, with the remark that the default service name is equal to "proftpd", in the case that a custom service name is not specified, AND

3) use the proper service name (being either the default or the custom service name) in both hosts.deny and hosts.allow files, AND

4) restart the proftpd server (i.e. after making all changes).

Also note that it is not wise to manually edit the original /etc/proftpd.conf file, for various reasons, amongst others that the possibility exists to add custom config files, implying that it is "good practice" to put all proftpd config customizations in seperate (custom) config files, to be located in the /etc/proftpd.d/ directory.

In short, it is better to use the firewall, it has the same functionality and it is less cumbersome and less error-prone.

Kind regards....
 
trialotto said:
@Andrew65,
c) more important, the standard proftpd package, as associated with Plesk, does not contain the mod_wrap module required for using a setup that checks hosts.deny and hosts.allow.
Click to expand...

Thanks.
I thought that as proftpd is started through xinetd, it has to use hosts.allow (deny)...
Ok, i will think about use iptables.
 
You must log in or register to reply here.

Similar threads

N
Issue FTP not working
Replies
4
Views
2K
novation
N
T
Issue Explicit FTP over TLS: Initializing TLS... TLS/TLS-C negotiation failed on control channel
Replies
3
Views
3K
mow
M
UnS3eN
Issue No FTP (proFTP) access after 17.8.11 upgrade
Replies
4
Views
3K
UnS3eN
UnS3eN
S
Issue FTP not starting
Replies
15
Views
2K
serverok
S
M
Question 3CX FTP backups fails since upgrading to 17.8
Replies
6
Views
3K
mr-wolf
M
Back
Top