# Limit access to FTP via IP



## rfrazier (Feb 26, 2010)

I'm trying to restrict access to my pure-ftp server from all ip address with the exception of a couple ip's.  I'm running FreeBSD 7.2 and I've tried editing the hosts.allow file with following:


```
# Provide a small amount of protection for ftpd
ftpd : localhost : allow
#ftpd : .nice.guy.example.com : allow
#ftpd : .evil.cracker.example.com : deny
ftpd : ALL : deny
#ftpd : ALL : allow
ftpd : xx.xx.xx.101 : allow
```

The ip listed as xx.xx.xx.101 is one of the ips that I want to be able to access the ftp server.

Any suggestions?


----------



## DutchDaemon (Feb 26, 2010)

Is pure-ftp even tcpwrapper-aware, or are you running it from inetd -w? Does anything happen when you play with these rules?


----------



## DutchDaemon (Feb 26, 2010)

And *do not double-post*.


----------



## rfrazier (Feb 26, 2010)

Sorry about post, I thought I was more appropriate in the Firewall forum. 

Everything was commented out in /etc/inetd.conf previously so I'm not sure how if its tcp-wrapper aware.  How can I tell?  I'm fairly new at this admin stuff and I appreciate the help.


----------



## rfrazier (Feb 26, 2010)

And no nothing happens when I "play with the settings".  I've tried it a number of ways.


----------



## DutchDaemon (Feb 26, 2010)

Find the pure-ftp binary (probably in /usr/local/bin or /usr/local/sbin), and run ldd on it. Something like `ldd /usr/local/bin/pureftpd | grep wrap`. If you get 'libwrap' it's compiled with tcpwrapper support. If not, using /etc/hosts.allow has no point when you run proftpd in daemon (standalone) mode. You'll either have to recompile it with tcpwrapper support, or run it from inetd (itself started with the -w flag).

Or use a firewall, of course, which is probably better anyway.


----------

