Hi,

Is it possible to make it so only certain IP's can FTP to a domain?

I think it's possible and i think youd edit proftpd but what would you put?

I wouldn't know about proftpd, but I do know about tcp-wrappers, and that's something that's probable installed on your raq already. If not, then I wouldn't know how it got on mine :D

Look inside inetd.conf. If there's something in there (let's say the ftp line) that looks like this: /usr/sbin/tcpd in.proftpd
then tcpwrappers is installed and running.

Now you can control access to the server through two files:
/etc/hosts.allow and /etc/hosts.deny

The hosts.deny is the easy part, all it should contain is this:ALL: ALLThe first part, before the : stands for the service, the second for the remote address. ALL: ALL means deny access to every service to everyone.

Now access can be granted through /etc/hosts.allow. It's build up quite the same way: ALL: LOCAL
ALL: xxx.xxx.xxx.xxx
ALL: .domain.name
in.proftpd: yyy.yyy.yyy.yyyThe first line says that all is allowed from the local machine. The second is important for yourself. Replace the xxx with your ip-address you use at home, or at work, or whatever you use to manage your server. That line says that access to every service is allowed from ip-address xxx.xxx.xxx.xxx. You can also use .domain.name for that, but you better make sure your server can resolve domain names.
The last line is the one that allows ftp access to ip-address yyy.

Use this command to check your configuration:
/usr/sbin/tcpdchk
If it finds anything it doesn't understand in either hosts.allow or hosts.deny, it will tell you so. In most cases it warns you that it can't resolve an ip-address which can be ignored if you know what it is.

If you host many clients then this might not be the easiest way, but it does add to your server's security, since unknown hosts simply can't access services even if they know the right passwords. Of course nothing is perfect :D

That covers just about the basics. Do some reading about tcpwrappers. It helps to know what you're doing before doing it, hehe

Thanks Pingu.

One more question Pingu... :blush:
Let say I insert the following line shown below, inside hosts.allow:

ALL: LOCAL
ALL: 123.456
ALL: .domain.name
in.proftpd: 111.101

That's mean all the ip with 123.456 and 111.101 will be allow to access??? :)

Umm, not sure what you mean :D

Some examples then:
ALL: 192.168.0.1
Allows the host with ip-address 192.168.0.1 access to all services

ALL: 192.168.0.
(Note the trailing dot!) Allows all hosts with an ip-address starting with 192.168.0

in.proftpd: .linux.microsoft.com
(Note the leading dot!) Allows ftp access to every host coming from the linux.microsoft.com domain.

ALL: LOCAL
Allows access to all services to all local machines, (if they have an account that is). Small rectification here to the post above: not machine but machines.

In the above examples, 192.168.0.1 can access ssh, ftp, imap and whatever.
host.linux.microsoft.com can start an ftp session, but is not allowed to ssh into the server, or even pop3.

The mail thing is something to consider here. But then, we're not hosting any clients, just ourselves. It's ALL: or nothing, hehe

This page makes things even more clear. It's written for the Mac OS X, but it does explain the general idea quite well:
http://www.cats.wright.edu/catsweb/ns/osxs_sec/tcpw_install.html