ProFTPD Configuration for Host Access Control

Overview

This document demonstrates how to configure ProFTPD to use the Host Access Control feature via the command line, enabling restriction of FTP access by IP address. ProFTPD does not automatically reference the /etc/hosts.allow or /etc/hosts.deny files to restrict access to the FTP service.

This information only applies to systems running cPanel & WHM on CentOS 7, CloudLinux™ 7, and Red Hat® Enterprise Linux® 7, and earlier server versions. ProFTPD does not utilize TCP-Wrappers-based access controls on AlmaLinux OS, Rocky Linux™, and CloudLinux 8 or higher servers. Instead, use the functionality provided by the Host Access Control interface within WHM on these operating systems.

Warning:

• This document describes an unsupported workaround that we do not guarantee will work in the future.
• After you perform these steps on a server, the system administrator must manage and maintain the server’s database software.
• We recommend that only experienced system administrators attempt to perform these steps.
• We are not responsible for any data loss that an attempt to perform these steps causes.

System Requirements

To successfully configure ProFTPD, your server must have the following software:

• ProFTPD version 1.3.3 or later.
• The mod_wrap module.

As the root user, execute the following command to verify the installed versions of ProFTPD and mod_wrap on your server:

proftpd -V | awk '/Version/ {print $0}; /mod_wrap/ {print "mod_wrap is installed"}'

The output will resemble the following example:

1
2
3

root@testserver [~]# proftpd -V | awk '/Version/ {print $0}; /mod_wrap/ {print "mod_wrap is installed"}'
  Version: 1.3.5rc1 (devel)
mod_wrap is installed

Create a VirtualHost container

To configure ProFTPD, you will need to create a VirtualHost container. Follow these steps as the root user:

1. Open the /etc/proftpd.conf file using a text editor and insert the following lines after any existing comments:

   1 2	TCPAccessFiles /etc/hosts.allow /etc/hosts.deny TCPServiceName ftp

   Warning:

   • Each Virtual Host that requires Host Access Control needs this entry in the /etc/proftpd.conf file.
   • You must specify both /etc/hosts.allow and /etc/hosts.deny or you will receive an error.

2. Execute the /usr/local/cpanel/scripts/restartsrv_proftpd script to restart the ProFTPD service.

3. Add access denial rules to the /etc/ftpusers file, which lists all users for whom FTP access should be denied.

4. Log in to your FTP server to verify the new configuration.

   Note:

   If ProFTPD rejects connections due to Host Access Control configuration, the system will report those failures as authentication failures. For example:

   1 2 3 4 5 6 7 8 9 10	root@testserver [~]# ftp 10.1.1.1 Connected to 10.1.1.1. 220 ProFTPD 1.3.5rc1 Server (ProFTPD) [::ffff:10.1.1.1] Name (10.1.1.1:root): cptest 331 Password required for cptest Password: 530 Access denied ftp: Login failed ftp> quit 221 Goodbye.

VirtualHost container example

The following example illustrates a complete VirtualHost container:

1
2
3
4
5
6
7
8
9
10

<VirtualHost 10.1.1.1>
 ServerName ftp.testserver.tld
 AuthUserFile /etc/proftpd/wcraft
 MaxClients 3 "Sorry, this ftp server has reached its maximum user count (%m). Please try again later"
 DirFakeGroup On ftpgroup
 DirFakeUser On ftpuser
 DefaultRoot ~
TCPAccessFiles /etc/hosts.allow /etc/hosts.deny
 TCPServiceName ftp
[truncated]