Very Computer

We're running Linux and I was wondering if there is some way to configure
the FTP server so as to limit access from outside our domain.  We make
extensive use of /etc/ftpacces and /etc/ftpusers, but that's all too coarse
for my tastes... what I'd like is an explicit access list of some kind:


      ...etc...
We can/have done things like put "yourdialin.com" into our ftpaccess file,
but that has me worried about allowing EVERY other customer at that other
ISP the opportunity to try playing with our system just so that we can
allow access to the one of our customers who needs outside access...

I don't -think- you can do that with the ordinary FTP server, but I"m not
sure...

Thanks!
   /Bernie\
--
Bernie Cosell                     Fantasy Farm Fibers

    -->  Too many people, too few sheep  <--          

I don't think wu-ftpd has that functionality built in, but if your
an ambitous coder you could set it up.

What i found works well is recompiling wu-ftpd to allow anonymous
ftp access only, and leaving the original one that came with the
system installed too. Then use TCP wrappers to invoke either the
"anonymous user only" version or the "registered and anonymous user"
version depending on which site the ftp request is coming from.

---------------------------------------------------
=     Do not meddle in the affairs of dragons,    =
=    For you are crunchy, and good with mustard   =
=                                                 =    

---------------------------------------------------

[ ... ]

Quote:} What i found works well is recompiling wu-ftpd to allow anonymous
} ftp access only, and leaving the original one that came with the
} system installed too. Then use TCP wrappers to invoke either the
} "anonymous user only" version or the "registered and anonymous user"
} version depending on which site the ftp request is coming from.

I don't see exactly how this would work.  We, for example, have a user with
an AOL account who needs to FTP from AOL to his account at our site.  So
right now we have "*.aol.com" in our ftpaccess file.

I guess that what I could do with TCP wrappers is at least limit the
damage: I could set it up so that if it got a request from aol.com, it
would fork an instance of FTPD that would -only- allow access to the aol
user's local account.  That'd still let ANYONE at AOL try to pound on our
system, but it'd very much limit the damage they could do.

  /Bernie\
--
Bernie Cosell                     Fantasy Farm Fibers

    -->  Too many people, too few sheep  <--          

Look into tcp_wrappers. You won't get *exactly* what you want, but you

others aren't.' In order to make sure "jim" can't access any other
accounts on your system, enforce good passwords, (see the thread on
password aging for some hints).

You'll also have the benefit of installing a "banner" which prints when
anyone accesses your system. In it you'll be able to say something like:

     This is myhost at ISP.COM. Access to this system is restricted
     to valid account holders. All unauthorized accesses will be
     thoroughly investigated. Your connection has been logged as:

Hope that helps...

--
----------------------------------------------------------------------

Systems Manager                                   Concordia University
Instructional & Information Technology        Montreal, Quebec, Canada
----------------------------------------------------------------------

Yes, good idea.  Also strongly consider a firewall, which will provide
another barrier against traffic that can be faked that tcp_wrappers may be
unable to detect.  A good firewall will reverse-lookup an IP address and
if invalid, drop the packet.  It should also have a ruleset of IP
addressing so that DoS's don't bring it down (so that, for example, the
first octet 192 IP address test range is simply discarded as well as the
class D range).  This combination will strengthen your tcp_wrapper
authorization.  The O'Reilly book "Building Internet Firewalls" and the
SANS site (http://www.sans.org) can provide more detailed information and
may lead you towards other, valid methods.

Daniel Alex Finkelstein
New Technologies
phone   212.383.2951
pager   917.427.1630

Securities Industry Automation Corporation

On Tue, 15 Sep 1998 17:35:46 -0400, Daniel Alex Finkelstein

Aside from the other features of firewalls which you bring up,
tcp_wrappers can also be configured to refuse connections which fail
reverse DNS lookups, so for this functionality alone, a firewall may not
be necessary. (of course firewalling will offer more)

--
----------------------------------------------------------------------

Systems Manager                                   Concordia University
Instructional & Information Technology        Montreal, Quebec, Canada
----------------------------------------------------------------------