{"id":567,"date":"2021-07-23T12:33:04","date_gmt":"2021-07-23T12:33:04","guid":{"rendered":"https:\/\/ssdsunucum.com\/blog\/proftpd-configuration-for-host-access-control\/"},"modified":"2021-07-23T12:33:04","modified_gmt":"2021-07-23T12:33:04","slug":"proftpd-configuration-for-host-access-control","status":"publish","type":"post","link":"https:\/\/ssdsunucum.com\/blog\/proftpd-configuration-for-host-access-control\/","title":{"rendered":"ProFTPD Configuration for Host Access Control"},"content":{"rendered":"<\/p>\n
\n
<\/div>\n
\n

Overview<\/h2>\n

This document provides an example of how to configure ProFTPd to utilize the Host Access Control<\/em> feature from the command line to restrict access by IP address to FTP. The information in this document applies to systems that run cPanel & WHM in CentOS 7, CloudLinux\u2122 7, and Red Hat\u00ae Enterprise Linux\u00ae 7 and earlier.<\/p>\n

ProFTPD does not automatically reference the \/etc\/hosts.allow<\/code> or \/etc\/hosts.deny<\/code> files to restrict access to the FTP service.<\/p>\n

\n
Warning:<\/div>\n
\n

This document describes an unsupported workaround that we do not<\/strong> guarantee will work in the future.<\/p>\n

    \n
  • After you perform these steps on a server, the system administrator must<\/strong> manage and maintain the server\u2019s database software.<\/li>\n
  • We recommend that only<\/strong> experienced system administrators attempt to perform these steps.<\/li>\n
  • We are not<\/strong> responsible for any data loss that an attempt to perform these steps causes.<\/li>\n<\/ul><\/div>\n<\/div>\n

    CentOS 8, AlmaLinux 8, and CloudLinux 8 systems<\/h3>\n
    \n
    Important:<\/div>\n
    \n

    CentOS 8 removed support for the TCP Wrappers package (tcp_wrappers<\/code>). This change means that ProFTPD does not<\/strong> use TCP-Wrappers-based access controls on CentOS 8, AlmaLinux 8, and CloudLinux 8 systems. The rest of ProFTPD\u2019s functionality still works in those operating systems. ProFTPD\u2019s functionality in cPanel & WHM version 92 on CentOS 6 and 7, CloudLinux 6 and 7, and Red Hat Enterprise Linux 7 systems continues to use TCP-Wrappers-based access controls.<\/p>\n

    The unsupported workaround described in this document is not<\/strong> supported in CentOS 8 or AlmaLinux 8. Instead, use the functionality available in WHM\u2019s Host Access Control<\/em> interface.<\/p>\n

    \n
    Warning:<\/div>\n
    \n

    cPanel & WHM version 92 for CentOS 8 and CloudLinux 8 is experimental<\/strong> software and we do not<\/strong> recommend using it in production environments. For more information, read our cPanel & WHM version 92 for CentOS 8 documentation.<\/p>\n

    Upgrade to a later version of cPanel & WHM to use CentOS 8 and CloudLinux 8 in production environments.<\/p>\n<\/p><\/div>\n<\/div><\/div>\n<\/div>\n

    System Requirements:<\/h2>\n

    To configure ProFTPD, the following software must<\/strong> run on your server:<\/p>\n

      \n
    • ProFTPD version 1.3.3 and later.<\/li>\n
    • The mod_wrap<\/code> module.<\/li>\n<\/ul>\n

      As the root<\/code> user, run the following command to confirm that you have the correct version of ProFTPD and mod_wrap<\/code> installed on your server:<\/p>\n

      \n
      proftpd<\/span> -<\/span>V<\/span> | awk<\/span> '<\/span>\/<\/span>Version<\/span>\/<\/span> {print<\/span> $<\/span>0<\/span>}; \/<\/span>mod_wrap<\/span>\/<\/span> {print<\/span> \"mod_wrap is installed\"<\/span>}'<\/span><\/code><\/pre>\n<\/div>\n
      The output will resemble the following example:<\/p>\n
      \n
      \n\n\n
      \n
      1\n<\/span>2\n<\/span>3\n<\/span>4\n<\/span><\/code><\/pre>\n<\/td>\n
      		\n
      root<\/span>@<\/span>testserver<\/span> [~<\/span>]#<\/span> proftpd<\/span> -<\/span>V<\/span> | awk<\/span> '<\/span>\/<\/span>Version<\/span>\/<\/span> {print<\/span> $<\/span>0<\/span>}; \/<\/span>mod_wrap<\/span>\/<\/span> {print<\/span> \"mod_wrap is installed\"<\/span>}'<\/span>\n  Version<\/span>: 1.3.5<\/span>rc1<\/span> (devel<\/span>)\nmod_wrap<\/span> is<\/span> installed<\/span>\nroot<\/span>@<\/span>testserver<\/span> [~<\/span>]#<\/span><\/code><\/pre>\n<\/td>\n<\/tr>\n<\/table>\n<\/div>\n<\/div>\n
      Create a VirtualHost container<\/h2>\n
      To configure ProFTPD, create a Virtual Host container. To do this, perform the following steps as the root<\/code> user:<\/p>\n
        \n
      1. \n
        Open the \/etc\/proftpd.conf<\/code> file with a text editor and add the following lines after the comments:\n<\/p>\n
        \n
        \n\n\n
        \n
        1\n<\/span>2\n<\/span><\/code><\/pre>\n<\/td>\n
        		\n
        TCPAccessFiles<\/span> \/<\/span>etc<\/span>\/<\/span>hosts<\/span>.allow<\/span> \/<\/span>etc<\/span>\/<\/span>hosts<\/span>.deny<\/span>\nTCPServiceName<\/span> ftp<\/span><\/code><\/pre>\n<\/td>\n<\/tr>\n<\/table>\n<\/div>\n<\/div>\n
        \n
        Warning:<\/div>\n
        \n
          \n
        • Each Virtual Host that requires Host Access Control needs this entry in the \/etc\/proftpd.conf<\/code> file.<\/li>\n
        • You must<\/strong> specify both \/etc\/hosts.allow<\/code> and \/etc\/hosts.deny<\/code> or you will receive an error.
          \n<\/li>\n<\/ul><\/div>\n<\/div>\n<\/li>\n
        • \n
          Run the \/usr\/local\/cpanel\/scripts\/restartsrv_proftpd<\/code> script to restart ProFTPD.<\/p>\n<\/li>\n
        • \n
          Add access deny rules to the \/etc\/ftpusers<\/code> file. This file lists of all of the users for whom to deny FTP access.<\/p>\n<\/li>\n
        • \n
          Log in to your FTP server to test the new configuration.<\/p>\n
          \n
          Note:<\/div>\n
          \n
          If ProFTPD rejects connections due to Host Access Control configuration, the system will report those failures as authentication failures. For example:<\/p>\n<\/p>\n
          \n
          \n\n\n
          \n
           1\n<\/span> 2\n<\/span> 3\n<\/span> 4\n<\/span> 5\n<\/span> 6\n<\/span> 7\n<\/span> 8\n<\/span> 9\n<\/span>10\n<\/span>11\n<\/span><\/code><\/pre>\n<\/td>\n
          		\n
            root<\/span>@<\/span>testserver<\/span> [~<\/span>]#<\/span> ftp<\/span> 10.1.1.1<\/span>\n  Connected<\/span> to<\/span> 10.1.1.1<\/span>.\n  220<\/span> ProFTPD<\/span> 1.3.5<\/span>rc1<\/span> Server<\/span> (ProFTPD<\/span>) [::ffff<\/span>:10.1.1.1<\/span>]\n  Name<\/span> (10.1.1.1<\/span>:root<\/span>): cptest<\/span>\n  331<\/span> Password<\/span> required<\/span> for<\/span> cptest<\/span>\n  Password<\/span>:\n  530<\/span> Access<\/span> denied<\/span>\n  ftp<\/span>: Login<\/span> failed<\/span>\n  ftp<\/span>> quit<\/span>\n  221<\/span> Goodbye<\/span>.\n  <\/code><\/pre>\n<\/td>\n<\/tr>\n<\/table>\n<\/div>\n<\/div><\/div>\n<\/div>\n<\/li>\n<\/ol>\n
          VirtualHost container example<\/h2>\n
          The following example resembles a complete VirtualHost container.<\/p>\n
          \n
          \n\n\n
          \n
           1\n<\/span> 2\n<\/span> 3\n<\/span> 4\n<\/span> 5\n<\/span> 6\n<\/span> 7\n<\/span> 8\n<\/span> 9\n<\/span>10\n<\/span><\/code><\/pre>\n<\/td>\n
          		\n
          <VirtualHost<\/span> 10.1.1.1<\/span>>\n ServerName<\/span> ftp<\/span>.testserver<\/span>.tld<\/span>\n AuthUserFile<\/span> \/<\/span>etc<\/span>\/<\/span>proftpd<\/span>\/<\/span>wcraft<\/span>\n MaxClients<\/span> 3<\/span> \"Sorry, this ftp server has reached its maximum user count (%m). Please try again later\"<\/span>\n DirFakeGroup<\/span> On<\/span> ftpgroup<\/span>\n DirFakeUser<\/span> On<\/span> ftpuser<\/span>\n DefaultRoot<\/span> ~<\/span>\nTCPAccessFiles<\/span> \/<\/span>etc<\/span>\/<\/span>hosts<\/span>.allow<\/span> \/<\/span>etc<\/span>\/<\/span>hosts<\/span>.deny<\/span>\n TCPServiceName<\/span> ftp<\/span>\n[truncated<\/span>]<\/code><\/pre>\n<\/td>\n<\/tr>\n<\/table>\n<\/div>\n<\/div><\/div>\n","protected":false},"excerpt":{"rendered":"
          Overview This document provides an example of how to configure ProFTPd to utilize the Host Access Control feature from the command line to restrict access by IP address to FTP. The information in this document applies to systems that run cPanel & WHM in CentOS 7, CloudLinux\u2122 7, and Red Hat\u00ae Enterprise Linux\u00ae 7 and …<\/p>\n","protected":false},"author":1,"featured_media":568,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/posts\/567"}],"collection":[{"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/comments?post=567"}],"version-history":[{"count":0,"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/posts\/567\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/media\/568"}],"wp:attachment":[{"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/media?parent=567"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/categories?post=567"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/tags?post=567"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}