ProFTPD Configuration for Host Access Control
ProFTPd© does not automatically reference
/etc/hosts.deny to restrict access to the FTP service. The purpose of this document is to provide an example of how to configure ProFTPd to utilize the Host Access Control feature from the command line to restrict access by IP address to FTP.
This document describes an unsupported workaround that is not guaranteed to work in the future.
- After these steps are performed on a server, it is the system administrator’s responsibility to manage and maintain the server’s database software.
- We recommend that only experienced system administrators attempt to perform these steps.
- We are not responsible for any data loss that is caused by an attempt to perform these steps.
To configure ProFTPd, you must have the following installed on your server:
- ProFTPd version 1.3.3 or higher
root user, run the following command to confirm that you have the correct version of ProFTPd and
mod_wrap installed on your server:
The output will resemble the following:
To configure ProFTPd, perform the following steps as the
Main IP address
- Open the
/etc/proftpd.conffile with a text editor, add the following lines after the comments.12
- Run the following command to restart ProFTPd:
You must specify both
/etc/hosts.denyor you will receive an error.
- Add deny rules and test.
When ProFTPd rejects connections due to Host Access Control configuration, those failures are reported as authentication failures.12345678910
# ftp 10.1.1.1
Connected to 10.1.1.1.
220 ProFTPD 1.3.5rc1 Server (ProFTPD) [::ffff:10.1.1.1]
Name (10.1.1.1:root): cptest
331 Password required
530 Access denied
: Login failed
Additional IP addresses
Each Virtual Host that requires Access Control will need an entry in the file
/etc/proftpd.conf. Add the following lines to each Virtual Host container.
The following is an example of a VirtualHost container.