ftp

ProFTPD Configuration for Host Access Control

Last modified: September 15, 2023


Overview

This document provides an example of how to configure ProFTPd to utilize the Host Access Control feature from the command line to restrict access by IP address to FTP. ProFTPD does not automatically reference the /etc/hosts.allow or /etc/hosts.deny files to restrict access to the FTP service.

The information in this document only applies to systems that run cPanel & WHM on CentOS 7, CloudLinux™ 7, and Red Hat® Enterprise Linux® 7 and earlier servers. ProFTPD does not use TCP-Wrappers-based access controls on AlmaLinux OS, Rocky Linux™, and CloudLinux 8 or higher servers. Use the functionality available in WHM’s Host Access Control interface on these operating systems instead.

Warning:
  • This document describes an unsupported workaround that we do not guarantee will work in the future.
  • After you perform these steps on a server, the system administrator must manage and maintain the server’s database software.
  • We recommend that only experienced system administrators attempt to perform these steps.
  • We are not responsible for any data loss that an attempt to perform these steps causes.

System Requirements

To configure ProFTPD, the following software must run on your server:

  • ProFTPD version 1.3.3 or later.
  • The mod_wrap module.

As the root user, run the following command to confirm that you have the correct version of ProFTPD and mod_wrap installed on your server:

proftpd -V | awk '/Version/ {print $0}; /mod_wrap/ {print "mod_wrap is installed"}'

The output will resemble the following example:

1
2
3
root@testserver [~]# proftpd -V | awk '/Version/ {print $0}; /mod_wrap/ {print "mod_wrap is installed"}'
  Version: 1.3.5rc1 (devel)
mod_wrap is installed

Create a VirtualHost container

To configure ProFTPD, create a Virtual Host container. To do this, perform the following steps as the root user:

  1. Open the /etc/proftpd.conf file with a text editor and add the following lines after the comments:

    1
    2
    
    TCPAccessFiles /etc/hosts.allow /etc/hosts.deny
    TCPServiceName ftp
    Warning:
    • Each Virtual Host that requires Host Access Control needs this entry in the /etc/proftpd.conf file.
    • You must specify both /etc/hosts.allow and /etc/hosts.deny or you will receive an error.

  2. Run the /usr/local/cpanel/scripts/restartsrv_proftpd script to restart ProFTPD.

  3. Add access deny rules to the /etc/ftpusers file. This file lists of all of the users for whom to deny FTP access.

  4. Log in to your FTP server to test the new configuration.

    Note:

    If ProFTPD rejects connections due to Host Access Control configuration, the system will report those failures as authentication failures. For example:

     1
     2
     3
     4
     5
     6
     7
     8
     9
    10
    
    root@testserver [~]# ftp 10.1.1.1
    Connected to 10.1.1.1.
    220 ProFTPD 1.3.5rc1 Server (ProFTPD) [::ffff:10.1.1.1]
    Name (10.1.1.1:root): cptest
    331 Password required for cptest
    Password:
    530 Access denied
    ftp: Login failed
    ftp> quit
    221 Goodbye.

VirtualHost container example

The following example resembles a complete VirtualHost container:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
<VirtualHost 10.1.1.1>
 ServerName ftp.testserver.tld
 AuthUserFile /etc/proftpd/wcraft
 MaxClients 3 "Sorry, this ftp server has reached its maximum user count (%m). Please try again later"
 DirFakeGroup On ftpgroup
 DirFakeUser On ftpuser
 DefaultRoot ~
TCPAccessFiles /etc/hosts.allow /etc/hosts.deny
 TCPServiceName ftp
[truncated]

Additional Documentation