Chapter 14. Access controls

Table of Contents
Access limitation
Bandwidth control
Quota controls
Access controls
Controlling permission changes
.ftpaccess files

It's a rare day in the life of the systems administrator when he doesn't want to limit the access a user or network has to a resource. Whether the limits are prohibitions on access or limits on the amount of use that can be made they are a fact of life on anything but the simplest of configurations.

Access limitation

Controlling timeouts

There are a number of methods for controlling how long the daemon waits for connections to complete, and how long a connection is held open by the daemon while waiting for traffic. The times given in the various Timeout* directives are in seconds.

TimeoutNoTransfer               900
TimeoutIdle                     900

Setting the various timeouts too high can result in problems because of connections being held open too long. Setting the timeout to zero is definately recommended against, infinate timeouts are bad without a very good reason.

Syntax: TimeoutIdle seconds
Default: TimeoutIdle 600
Context: server config
Compatibility: 0.99.0 and later

The TimeoutIdle directive configures the maximum number of seconds that proftpd will allow clients to stay connected without receiving any data on either the control or data connection. If data is received on either connection, the idle timer is reset. Setting TimeoutIdle to 0 disables the idle timer completely (clients can stay connected for ever, without sending data). This is generally a bad idea as a "hung" tcp connection which is never properly disconnected (the remote network may have become disconnected from the Internet, etc) will cause a child server to never exit (at least not for a considerable period of time) until manually killed

Abusive users

Your attempt to post to the ProFTPD mailing list at i've got a problem with people who "hammer" my ftp site when its quite busy..........i have my max connections per IP set at 1, but when people hammer, they try connecting several times per second! this sometimes allows them to connect many times, often using up all the users for the account. i have looked through the documentation and have been unable to find something to eliminate this. is there anything? something i can configure to, let's say "if user connects X times in X seconds, then ban. or ignore for X minutes" etc. any help would be appreciated. eric

You mean you have MaxClientsPerHost set to 1 already ? If so then this and a user from the same IP address can connect more than once then this is presumably a bug (check the logs to make sure that they are coming from the same IP address) or do you mean that they connect and disconnect quickly ?

Access classes

How do I go about using the class directive in proftpd. Under wu-ftpd, I could limit function base on define class (anonymous, guest, etc) How would you do this under proftpd? (ie anonymous could only do this, real user from this ip could do this, where real user from this other IP could do this!) Class Syntax: Class "name" limit|regex|ip value Default: None Context: server config Compatibility: 1.2.0pre9 and later Controls class based access. Class base access allows each connecting IP to be classified into a separate class. Each class has its own maximum number of connections. limit sets the maximum number of connections for that class name, regex sets a hostname regex (POSIX) for inclusion in the class and ip sets an IP/netmask based inclusion. The default class is called default. Example: Classes on Class local limit 100 Class default limit 10 Class local regex .* Class local ip This creates two classes, local and default, with local being everything in * and 172.16.1.* combined. Classes Syntax: Classes on|off Default: Off Context: server config Compatibility: 1.2.0pre9 and later Controls class based access. Enables class based access control. see: Class

Ok, been playing again :) Example of a real life classes based config.

Example 14-1. Configuration using classes

ServerName			"Frostbite FTPserver"
ServerType			standalone
DeferWelcome			on
Port				21
Umask				002
User				ftp
Group				ftp
TransferLog			/var/spool/syslog/proftpd/xferlog.legacy
DefaultRoot			/ftp/
TimeoutLogin			120
TimeoutIdle			600
TimeoutNoTransfer		900
TimeoutStalled			3600
ScoreboardFile			/var/run/proftpd
LogFormat         		default "%h %l %u %t \"%r\" %s %b"
LogFormat			auth    "%v [%P] %h %t \"%r\" %s"
LogFormat			write   "%h %l %u %t \"%r\" %s %b"
UseReverseDNS			off
MultilineRFC2228		on
AllowFilter ".*/[a-zA-Z0-9 ]+$"
Port 0

	DisplayLogin		welcome.msg
	DisplayFirstChdir	readme
	AllowOverwrite		yes
	AccessGrantMsg          "Welcome to Tux's kingdom oh chilly %u"
	DisplayConnect /ftp/
	IdentLookups         off
	ExtendedLog		/var/spool/syslog/proftpd/access.log WRITE,READ write
	ExtendedLog		/var/spool/syslog/proftpd/auth.log AUTH auth
	ServerIdent		on " server"
	AllowForeignAddress	on
	PathDenyFilter		"(\.htaccess)|(\.ftpaccess)$"

# ----------------------------------------------------
# (" FTP Archive") 
# Contact :
ServerName              " FTP Archive"
TransferLog             /var/spool/syslog/xfer/
MaxLoginAttempts        3
RequireValidShell       no
DefaultRoot             /ftp/
User                    linux
Group                   linux
AllowOverwrite          yes
DefaultServer		yes
LoginPasswordPrompt     off "Wibble"
# Allow 50 users from Local network, local WAN 
# Limit everyone else to 20 connections
Classes on
Class local limit 50
Class default limit 20
Class local regex .*
Class local ip
Class local ip
Class local ip

<Anonymous /ftp/>
        User                    ftp
        Group                   ftp
        UserAlias               anonymous ftp
        RequireValidShell       no
        ##MaxClients              200
	MaxClientsPerHost	5 "Please don't be a hog and open any more sessions"
	AccessGrantMsg          "Welcome to Tux's kingdom oh chilly anonymous user"
	AllowForeignAddress	on
	# Global upload, no download or browsing.
	<Directory pub/incoming/*>
		AllowOverwrite off

Stopping permission changes

As of 1.2.0rc1 it is possible to prevent end users from altering the permissions on files in directories they have modify rights to. The AllowChmod directive, which defaults to deny, can be used to allow chmod on a server, global, virtualhost or directory basis. Giving a much finer degree of control over what the end users are capable of.