I'm running a vsFTPd FTP server with virtual users (i.e. users are stored in Berkeley DB and do not exist at OS level). The users are authenticated via /etc/pam.d/ftp:

%PAM-1.0

auth required pam_userdb.so db=/etc/vsftpd/vsftpd-virtual-user account required pam_userdb.so db=/etc/vsftpd/vsftpd-virtual-user

I want to implement an user-level IP filtering via tcp_wrappers, for ex.:

/etc/hosts.deny:

vsftpd: toto@10.10.10.10

(user 'toto') is a vitrual user.

However, toto can log in to the FTP server from 10.10.10.10:

Status: Connecting to 10.10.10.10:21...
Status: Connection established, waiting for welcome message...
Response: 220 "FTP server"
Command: USER toto
Response: 331 Please specify the password.
Command: PASS ********
Response: 230 Login successful.
Status: Connected

How to make vsftpd's virtu开发者_C百科al users working with tcp_wrappers? how to debug system calls to tcp_wrappers to ensure that vsftpd is passing a correct user name to tcp_wrappers?

TCP wrappers may sound promissory but won't work (long explanation) However you can achieve same level of granularity via PAM.

For instance you can locate the PAM's FTP conf file, if your vsFTPd was compiled with PAM support (ldd /usr/sbin/vsftpd | grep pam) and replace the account line to use pam access control instead.

# vi /etc/pam.d/vsftpd
account    include    password-auth  (comment this line out)
# add the following line
account    required     pam_access.so

Then you can edit /etc/security/access.conf and create more complex rules to tailor your needs, i.e.

+ : restricted_username : 192.168.1.10
+ : ALL EXCEPT restricted_username : ALL
- : ALL : ALL

The above rule will allow the user 'restricted_username' to login only from that specific IP, while allowing the rest of the users log in from ALL other sources.