Overview
This document provides guidance on configuring ProFTPD to leverage the Host Access Control feature via the command line, specifically to restrict FTP access by IP address. It's important to note that ProFTPD does not inherently reference the /etc/hosts.allow or /etc/hosts.deny files for restricting FTP service access.
This information is applicable only to systems operating cPanel & WHM on CentOS 7, CloudLinux™ 7, and Red Hat® Enterprise Linux® 7, as well as earlier server versions. ProFTPD does not utilize TCP-Wrappers-based access controls on AlmaLinux OS, Rocky Linux™, and CloudLinux 8 or higher servers. For these newer operating systems, it is recommended to use the functionality available in WHM’s Host Access Control interface instead.
Warning:
- This document describes an unsupported workaround that is not guaranteed to function in future versions.
- After implementing these steps, the system administrator is responsible for managing and maintaining the server’s database software.
- These steps are recommended for experienced system administrators only.
- We are not responsible for any data loss resulting from attempts to perform these steps.
System Requirements
To successfully configure ProFTPD, your server must meet the following software requirements:
- ProFTPD version 1.3.3 or later.
- The
mod_wrapmodule.
As the root user, execute the following command to confirm the installed version of ProFTPD and the presence of the mod_wrap module on your server:
proftpd -V | awk '/Version/ {print $0}; /mod_wrap/ {print "mod_wrap is installed"}'
The output should resemble this example:
root@testserver [~]# proftpd -V \| awk '/Version/ {print $0}; /mod_wrap/ {print "mod_wrap is installed"}'
Version: 1.3.5rc1 (devel)
mod_wrap is installed
Create a VirtualHost Container
To configure ProFTPD, you need to create a Virtual Host container. Follow these steps as the root user:
-
Open the
/etc/proftpd.conffile with a text editor and add the following lines after the existing comments:TCPAccessFiles /etc/hosts.allow /etc/hosts.deny TCPServiceName ftpWarning:
- Each Virtual Host requiring Host Access Control must include this entry in the
/etc/proftpd.conffile. - You must specify both
/etc/hosts.allowand/etc/hosts.denyto avoid errors.
- Each Virtual Host requiring Host Access Control must include this entry in the
-
Run the
/usr/local/cpanel/scripts/restartsrv_proftpdscript to restart ProFTPD. -
Add access deny rules to the
/etc/ftpusersfile. This file lists all users for whom FTP access should be denied. -
Log in to your FTP server to test the new configuration.
Note:
If ProFTPD rejects connections due to Host Access Control configuration, these failures will be reported as authentication failures. For instance:
root@testserver [~]# ftp 10.1.1.1 Connected to 10.1.1.1. 220 ProFTPD 1.3.5rc1 Server (ProFTPD) [::ffff:10.1.1.1] Name (10.1.1.1:root): cptest 331 Password required for cptest Password: 530 Access denied ftp: Login failed ftp> quit 221 Goodbye.
VirtualHost Container Example
The following provides a complete example of a VirtualHost container configuration:
<VirtualHost 10.1.1.1>
ServerName ftp.testserver.tld
AuthUserFile /etc/proftpd/wcraft
MaxClients 3 "Sorry, this ftp server has reached its maximum user count (%m). Please try again later"
DirFakeGroup On ftpgroup
DirFakeUser On ftpuser
DefaultRoot ~
TCPAccessFiles /etc/hosts.allow /etc/hosts.deny
TCPServiceName ftp
[truncated]
