specify interface for ftpd
Results 1 to 5 of 5

Thread: specify interface for ftpd

  1. #1
    Senior Member
    Join Date
    Jun 2004

    specify interface for ftpd


    I am currently working in an environment where we have inetd, tcpwrappers, and ftpd. Currently we have ftpd running through tcpwrappers, but it doesn't even need to be running for the outside world to see. therefore, we want to restrict ftpd so that it only will listen to localhost (some stupid application requires ftp to itself...) which leads me to my 2 questions:

    1) with tcpwrappers is it possible to give ALL: but still have it so that it does not give a certain protocol (basically an all except ftpd)

    2) Is it possible to bind ftpd so that it only listens to localhost without having to install xinetd

    Please note that this is a production environment running HPUX/Tru64 at a company who does not like open source (please don't get me started on that, i am just as grumpy about it as some of you will be just reading it)
    [gloworange]find / -name \"*your_base*\" -exec chown us:us {} \\;[/gloworange] [glowpurple]Trust No One[/glowpurple][shadow] Use Hardened Gentoo [/shadow]

  2. #2
    Join Date
    Oct 2004
    Maybe it would be easier to configure this in the firewall rules (if you have one running on the local machine) sounds like you know alot more about it than I do, I could be wrong, but at least I tried.
    I\'m Dying To Find Out The Hard Way

  3. #3
    Senior Member br_fusion's Avatar
    Join Date
    Apr 2002
    From what I know I dont think you can properly bind ftpd to localhost, lo. You probably will have to set up some form of ACL's.

    Besides using tcpwrappers, have you tried looking at /etc/ftphosts? The following entries might prevent ftp from accepting any connections from outside

    allow <username>
    deny <username> 0/0

    So if <username> comes in one some random IP other than, he should time out and not be able to connect.

    And about your first question. With hosts.allow and hosts.deny, once you make an entry in hosts.allow(which is read first) that matches a given protocol, for instance ALL:etc, it will let ftp through without even looking in hosts.deny for any deny entry for ftp. So it seems that if you want to single out ftpd, you can not put an ALL: statement in hosts.allow.
    The command completed successfully.

    \"They drew first blood not me.\"

  4. #4
    Senior Member IKnowNot's Avatar
    Join Date
    Jan 2003
    I think the title is a little misleading, but I think I know what you mean.

    Well, first off, if it is production environment I hope you have some test machines!

    I am assuming here ( since I have never used that OS , but it is BSD like ) that you do not have a hosts.deny file, but have a hosts.allow file. Is that correct?

    (search for previous posts here concerning this, but in many systems both sets of rules are now included in the hosts.allow file, the hosts.deny file has been deprecated. Some still use both. )

    If the service, as you said, is just running on the local machine, wouldn't a hosts.allow file like this do it?

    ALL : localhost [::1] :allow
    ftpd : localhost : allow
    ftpd : ALL : deny
    ALL : ALL : deny

    Also, blocking anything else coming in on these ports through a firewall like c0br4 said as an added level couldn't hurt, ( I would ) but I don't know what firewall is available on that particular OS.

    Before you go running out and plugging this into your machine I would not only test it, but look to see what services are allowed through the current hosts.allow file. You might break something!

    the man pages for things like hosts_options, and even sample hosts.allow files supplied with the OS may teach you a lot.

    You can add shell commands, etc., and it can get quite complex, but I like too keep them simple, like me!

    Hope this helps.
    " And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes

  5. #5
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Washington D.C. area
    From what I know I dont think you can properly bind ftpd to localhost
    Sure you can. I do it all the time.

    Is it possible to bind ftpd so that it only listens to localhost without having to install xinetd
    It's very simple. Many FTPD.CONF files will allow you to specify what IP address to listen to. For instance, vsftp will allow you to bind the service to localhost with a simple edit to the vsftpd.conf file. Look at the man page for the conf file of the FTPD deamon you have. I'm sure you'll see it in there. There will be no need for wrappers, etc. when using this method. Also, when finished, do a netstat -an and you'll see something like:

    Proto Local Addy
    TCP ....... etc.

    You'll see the service bound locally.

    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts