0

I'd like to only allow FTP access to users who connect via a specific hostname like: portal4321.vps22.hostingserver.com.

And block every request which tries to connect to the FTP in a different manner, like ones who use the server IP or vps22.hostingserver.com directly.

Is this possible in CSF? If yes, great, how do i set it up?

Thanks!

Peps
  • 23
  • 1
  • 1
  • 7

1 Answers1

0

Yes, you can. Open /etc/csf/csf.allow in your preferred text editor. Add your rules to this file, one per line. The rules should use the follwoing format: tcp/udp|in/out|s/d=port|s/d=ip.

In your case it can look like:

tcp|in|d=21|s=195.24.75.5
  • tcp defines the protocol we're using. MySQL uses TCP sockets.
  • in defines that this rule pertains to inbound traffic or traffic coming into your system from an external one.
  • d=21 is the port number which FTP uses by default.
  • s=195.24.75.5 is the IP address we want to allow into our system on the port and protocol specified above (corresponds to portal4321.vps22.hostingserver.com).

Save the file. Restart CSF using csf -r.

Hardoman
  • 225
  • 1
  • 7
  • Sorry but this is not my question. – Peps Dec 16 '20 at 12:04
  • I think this is exactly what you asked for. You just need to put the right IP address of portal4321.vps22.hostingserver.com to the rule – Hardoman Dec 16 '20 at 14:31
  • Hostname portal4321.vps22.hostingserver.com would point to the (ftp) server. That means I need to open port 21 on the server. So everyone using either this hostname or the server IP will be able to connect. I only want to allow people connecting who have used that specific hostname as referrer. Hope I explained clearly and wonder if it is possible at all. – Peps Dec 16 '20 at 14:56
  • FTP protocol doesn't use referrer in headers. So you can't analyze what was used as a referrer. Also firewall doesn't analyze traffic on that level. – Hardoman Dec 16 '20 at 15:02
  • if I understood you correctly, in any case there is no other way than to connect to FTP with this hostname or right IP. Users using any other hostname or IP won't reach FTP because it just responds on this specific hostname and IP by FTP service nature. If it's not the case - limit FTP service to listen to port 21 only on 195.24.75.5, this is not firewall setting. – Hardoman Dec 16 '20 at 15:05
  • Yeah so if I recap, there are 3 options? Either i'd need the user's IP and allow it access to port 21. Or I'd need a proxy of which I know the IP and only allow traffic through that, or attach an additional IP to the VPS and allow traffic to it only on port 21, would this sum it up? – Peps Dec 16 '20 at 15:29
  • That's correct. And to add to the last option you need to configure your FTP daemon to listen to that specific IP you selected. E.g. in vsftpd this is done with: listen_address=1.1.1.1 listen=yes – Hardoman Dec 16 '20 at 15:46