Saturday, July 10, 2010

Per-client-IP configuration for VSFTPD

Recently I needed to configure VSFTPD FTP server to behave differently depending on the client IP address. Specifically, the task was to limit the number of connections to no more than 3 per client IP, but lift this restriction for one specific IP address (which was our own office address). The per-IP limit itself is easy to implement with max_per_ip configuration setting (see VSFTPD FAQ). The trick was specifically in making our office address the exception to this limit.

While per-user configuration is easy to implement with user_config_dir setting (and it is described in the FAQ), per-IP configuration is less obvious, so I thought I would document my findings.

The path to per-IP configuration lies via interaction with tcp_wrappers. Just in case you don't know, tcp_wrappers is a tool for filtering incoming network requests, and VSFTPD makes use of it. So, the first thing to do, is to enable tcp_wrappers support in VSFTPD, by making this setting in vsftpd.conf:


Then proceed to enter the default configuration in the main vsftpd.conf file. In my case, I set max_per_ip to limit connections per IP address:


The next step is to configure tcp_wrappers. Add a line similar to the following to /etc/hosts.allow file:

vsftpd: VSFTPD_LOAD_CONF /etc/vsftpd/vsftpd.conf.special

This must be a single line, even though Blogger may wrap it. It consists of 3 fields, separated bu the ':' character. The first must be vsftpd. The second contains your "special" IP address for which you want to enable a special configuration. As shown above, it may include a netmask so that you can apply the special configuration to a subnet (see man page for hosts.allow for details). Finally, the third field instructs tcp_wrappers to set an environment variable VSFTPD_LOAD_CONF to the name of a configuration file that will apply to your special IP address(es). The name of the variable must be exactly this; the value may be any filename you like. Once tcp_wrappers set this variable, VSFTPD will load the configuration file specified in it for the IP address(es) from the second field.

So, in the additional configuration file (in my example, /etc/vsftpd/vsftpd.conf.special) you can override everything you want for your special addresses. In my case I just needed to turn off per-IP restiction:


That's it. I find it rather convoluted, but it works and achieves a useful purpose.

Post a Comment