[NTLUG:Discuss] /etc/accept and /etc/reject

Chris Cox cjcox at acm.org
Thu Nov 7 11:26:51 CST 2002 

Rick Moncello wrote:
 > The question here has been how to restrict ftp access to allow only
 > authorized IPs to gain access to the system.
 >
 > The hosts.allow is NOT the correct place for this.  It will not work in
 > this case, since ftp does not pay attention to it.

While it is true that ftpd probably pays no attention to it,
inetd will.  As you mention below, if you are using xinetd, you
can specify tcpwrapper-like information in its config.
Tcpwrappers (tcpd) is used by inetd super-servers which do
not provide tcp-wrapper-like functionality... inetd is
such an example.  Xinetd, a new super-server, provides
tcp-wrapper-like functionality built-in.

For anyone who uses inetd instead of xinetd, you will want to wrapper
your services using hosts.allow/hosts.deny.  Commercial Unix
systems use inetd, though not all provide tcpwrappers (tcpd) as
a part of their installation.

For example (using the information below):
On SuSE do man 5 hosts_access for more info
The ftp daemon used below is the BSD daemon, you'll have
to replace the in.ftpd lines with the name of the
ftp daemon that you are using.

(/etc/hosts.deny)
in.ftpd: ALL

(/etc/hosts.allow)
in.ftpd: 192.168.61.1 192.168.62.2 192.168.1.3 ...etc...

Your inetd.conf file will look something like:
ftp     stream  tcp     nowait  root    /usr/sbin/tcpd  in.ftpd

(the tcpd is important, no tpcd, no tcpwrappers!)

 >
 > The correct solution is found in /etc/xinetd.d/wu-ftpd.  Here is a
 > (slightly edited for security) copy of what is in my file:
 > ===============================================================================
 > service ftp
 > {
 >         log_on_success += DURATION USERID
 >         log_on_failure += USERID
 >         socket_type = stream
 >         user = root
 >         server = /usr/sbin/in.ftpd
 >         server_args = -l -a
 >         wait = no
 >         nice = 10
 >         only_from = 192.168.62.1 192.168.62.2 192.168.62.3 192.168.62.4
 > 192.168.62.5 192.168.62.6 192.168.62.7 192.168.62.8 192.168.62.9
 > }
 > ===============================================================================
 >
 > There is also a file, /etc/ftpaccess, which can further restrict access
 > by determining which users have permission to log in.
 >
 > Good Luck!
 >
 > Rick.
 >

More information about the Discuss mailing list