specify interface for ftpd

[djscribble]

Greetings,

I am currently working in an environment where we have inetd, tcpwrappers, and ftpd. Currently we have ftpd running through tcpwrappers, but it doesn't even need to be running for the outside world to see. therefore, we want to restrict ftpd so that it only will listen to localhost (some stupid application requires ftp to itself...) which leads me to my 2 questions:

1) with tcpwrappers is it possible to give ALL: but still have it so that it does not give a certain protocol (basically an all except ftpd)

2) Is it possible to bind ftpd so that it only listens to localhost without having to install xinetd

Please note that this is a production environment running HPUX/Tru64 at a company who does not like open source (please don't get me started on that, i am just as grumpy about it as some of you will be just reading it)

[c0br4]

Maybe it would be easier to configure this in the firewall rules (if you have one running on the local machine) sounds like you know alot more about it than I do, I could be wrong, but at least I tried.

[br_fusion]

From what I know I dont think you can properly bind ftpd to localhost, lo. You probably will have to set up some form of ACL's.

Besides using tcpwrappers, have you tried looking at /etc/ftphosts? The following entries might prevent ftp from accepting any connections from outside 127.0.0.1.

allow <username> 127.0.0.1
deny <username> 0/0

So if <username> comes in one some random IP other than 127.0.0.1, he should time out and not be able to connect.


And about your first question. With hosts.allow and hosts.deny, once you make an entry in hosts.allow(which is read first) that matches a given protocol, for instance ALL:etc, it will let ftp through without even looking in hosts.deny for any deny entry for ftp. So it seems that if you want to single out ftpd, you can not put an ALL: statement in hosts.allow.

[IKnowNot]

I think the title is a little misleading, but I think I know what you mean.

Well, first off, if it is production environment I hope you have some test machines!

I am assuming here ( since I have never used that OS , but it is BSD like ) that you do not have a hosts.deny file, but have a hosts.allow file. Is that correct?

(search for previous posts here concerning this, but in many systems both sets of rules are now included in the hosts.allow file, the hosts.deny file has been deprecated. Some still use both. )

If the service, as you said, is just running on the local machine, wouldn't a hosts.allow file like this do it?

ALL : localhost 127.0.0.1 [::1] :allow
ftpd : localhost : allow
ftpd : ALL : deny
ALL : ALL : deny

Also, blocking anything else coming in on these ports through a firewall like c0br4 said as an added level couldn't hurt, ( I would ) but I don't know what firewall is available on that particular OS.

Before you go running out and plugging this into your machine I would not only test it, but look to see what services are allowed through the current hosts.allow file. You might break something!

the man pages for things like hosts_options, and even sample hosts.allow files supplied with the OS may teach you a lot.

You can add shell commands, etc., and it can get quite complex, but I like too keep them simple, like me!

Hope this helps.

[thehorse13]

From what I know I dont think you can properly bind ftpd to localhost

Sure you can. I do it all the time.

Is it possible to bind ftpd so that it only listens to localhost without having to install xinetd

It's very simple. Many FTPD.CONF files will allow you to specify what IP address to listen to. For instance, vsftp will allow you to bind the service to localhost with a simple edit to the vsftpd.conf file. Look at the man page for the conf file of the FTPD deamon you have. I'm sure you'll see it in there. There will be no need for wrappers, etc. when using this method. Also, when finished, do a netstat -an and you'll see something like:

Proto Local Addy
TCP 127.0.0.1:21 ....... etc.

You'll see the service bound locally.

--TH13