# hosts.deny and proftpd not working [SOLVED]

## selig

I have compiled proftpd with the "tcpd" USE flag enabled and want to add some nasty IP addresses to the hosts.deny. I guess the syntax is like

```

proftpd: 123.123.123.123

proftpd: 124.123.123.123

proftpd: 213.123.123.123

```

But it does not work. I have tried restarting proftpd and that has not helped either. Is there some configuration option to turn tcpd support on in proftpd, or what am I doing wrong? Thanks for any ideas.Last edited by selig on Fri Jun 23, 2006 1:58 pm; edited 1 time in total

----------

## mazaryk

Check your hosts.allow file. I believe that file is checked first, and checking stops after the first match.

----------

## BCC

True, access will be granted "if a (daemon,client) pair matches an entry in the /etc/hosts.allow file". (man hosts.allow). One other thing you might check : are you sure that the proftpd process is named "proftpd" ? (and not ftpd, or in.proftpd, ...) ?

You can check the listening process name with :

```
netstat -ltnp | grep ':21'
```

----------

## selig

The file hosts.allow does not exist. The process is really named proftpd:

```

$ ps -A | grep ftp

 3874 ?        00:00:00 proftpd

# netstat -ltnp | grep ':21'

tcp        0      0 0.0.0.0:21              0.0.0.0:*               LISTEN 3874/proftpd: (acce

```

I have tried creating an empty hosts.allow, but that did not help either.

----------

## BCC

Do you have an entry like this one in your /etc/proftpd/proftpd.conf file ?

```
TCPAccessFiles /etc/hosts.allow /etc/hosts.deny
```

----------

## selig

When I put this line in proftpd.conf, I am getting a "530 Access denied" error when trying to connect with a client. That would be OK if my computer was in the hosts.deny file, but it is not. My hosts.deny looks like this:

```

proftpd: 82.99.129.110

proftpd: 210.108.55.8

proftpd: 221.229.115.218

proftpd: 216.91.128.103

```

hosts.allow is emtpy. Is my syntax wrong? Because the man page was talking only about IP address ranges and domains, and not about specific IP addresses, so I am not sure if this is correct.

----------

## BCC

Your hosts.deny syntax looks ok to me.

You could try the other way : put your client's IP address in hosts.allow :

```
# /etc/hosts.allow

proftpd: aaa.bbb.ccc.ddd
```

and deny any other host in your hosts.deny file :

```
# /etc/hosts.deny

proftpd: ALL
```

But this is not really what you want, true ? You want to block some addresses and allow any other ?

For that, you can try to play with proftpd itself (and not with the tcp_wrappers). This seems to be possible with the <Limit LOGIN> syntax described here (search for ".evil.net") : http://www.proftpd.org/docs/configs/anonymous.conf

I have never used this syntax though

----------

## selig

Hmm, I have looked at the logs and other clients seemed to connect without any problems. I will have to try it from other IP addresses myself. Maybe the problem is that I am behind a NAT with a bad reverse DNS and I am using SSL. Or maybe not. I will look into the "limit login" directive too. I will try these when I get home and post an update. Thank you for the suggestions, hopefully it will work.

----------

## selig

The "Limit LOGIN" directive solved my problem nicely. TCP wrappers are a bit overkill for this anyway. Thanks for the advice!

----------

