While vsftpd doesn't include direct IP-based access control in its configuration file, we can implement this restriction through Linux's built-in networking tools. The most effective approaches involve using either TCP wrappers or iptables firewall rules.
This traditional Unix method works well with vsftpd when it's compiled with libwrap support (which most distributions include by default).
# /etc/hosts.deny vsftpd: ALL # /etc/hosts.allow vsftpd: 192.168.1.10, 192.168.1.15 vsftpd: 203.0.113.0/24
This configuration:
- Denies all FTP connections by default
- Only allows connections from specified individual IPs (192.168.1.10, 192.168.1.15)
- Permits an entire subnet (203.0.113.0/24)
For more granular control, especially in RHEL environments, iptables provides robust filtering:
# Clear existing rules (use cautiously) iptables -F iptables -X # Default deny policy iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT # Allow established connections iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow specific IPs to FTP (port 21) iptables -A INPUT -p tcp --dport 21 -s 192.168.1.10 -j ACCEPT iptables -A INPUT -p tcp --dport 21 -s 192.168.1.15 -j ACCEPT iptables -A INPUT -p tcp --dport 21 -s 203.0.113.0/24 -j ACCEPT # Save rules for persistence service iptables save
After implementing either method, test from both allowed and blocked IPs:
# From client machine ftp your.server.ip
For iptables, check active rules with:
iptables -L -n -v | grep 21
For maximum security in production environments, consider using both approaches:
- Use iptables for network-level filtering
- Use TCP wrappers as an additional application-layer control
- Forgetting to allow passive mode ports (typically 40000-50000) in iptables
- Not accounting for DNS lookups in firewall rules
- Missing IPv6 rules if dual-stack networking is enabled
When running an FTP server in production environments, limiting access to trusted IP addresses is a fundamental security practice. The vsftpd (Very Secure FTP Daemon) service on RHEL 6.5 doesn't include native configuration directives for IP-based restrictions in its vsftpd.conf file, but we can implement this through Linux's built-in firewall capabilities.
For basic IP filtering, we can use the TCP Wrappers system that's pre-installed on RHEL:
# Edit /etc/hosts.allow vsftpd : 192.168.1.0/24, 203.0.113.5 : ALLOW vsftpd : ALL : DENY # Edit /etc/hosts.deny vsftpd : ALL
This configuration will only permit connections from the 192.168.1.0/24 subnet and the specific IP 203.0.113.5.
For more granular control, iptables is the recommended solution:
# Clear existing FTP rules iptables -D INPUT -p tcp --dport 21 -j ACCEPT 2>/dev/null # Allow specific IPs iptables -A INPUT -p tcp -s 192.168.1.100 --dport 21 -j ACCEPT iptables -A INPUT -p tcp -s 203.0.113.5 --dport 21 -j ACCEPT # Block all other FTP connections iptables -A INPUT -p tcp --dport 21 -j DROP # Save rules for persistence service iptables save
For temporary access or brute force protection, combine with the recent module:
iptables -N FTP_ACCESS iptables -A INPUT -p tcp --dport 21 -m state --state NEW -j FTP_ACCESS iptables -A FTP_ACCESS -m recent --name FTP --update --seconds 3600 -j ACCEPT iptables -A FTP_ACCESS -s 192.168.1.100 -m recent --name FTP --set -j ACCEPT iptables -A FTP_ACCESS -j DROP
After applying any method, test connectivity:
# From allowed IP: ftp your-server-ip Connected to your-server-ip. 220 (vsFTPd 2.2.2) # From blocked IP: ftp your-server-ip ftp: connect: Connection timed out
If using xinetd as a wrapper, add IP restrictions in /etc/xinetd.d/vsftpd:
service ftp
{
only_from = 192.168.1.0/24
only_from += 203.0.113.5
access_times = 08:00-20:00
...
}