Incident Description:
As I promised you a couple of weeks ago, our sysadmin team imlemented mod_wrap2 module in our FTP server. The purpose of this module is to allow you, the users, to create whitelists or blacklists for IP addresses, meaning you will be able to say “only this IP addresses are allowed to ftp into my account”, or “everybody is allowed to ftp into my account except this IP address(es)”.
I will skip the sparkles and coloured baloons and I will get straight to the technical details: When you login into your FTP account, before you are allowed to log in, the ftp daemon searches in your home directory for a file called “ftp.allow” to see if your IP address is specifically allowed to log in. If the file is found, and your IP address is permitted, no other checks are performed. If your IP address is not found in the list of allowed IPs, or the file is not found, the daemon searches for a file called “ftp.deny”, to see if your IP address is specifically denied. If the IP address you’re trying to connect to matches one of the entries in ftp.deny (which can be ALL: ALL that denies everything that was not already permitted), the access will be denied with the message “530 User ‘username’ denied by access rules”. If the file is not found, or if your IP address doesn’t match anything, your access will be permitted. In addition to that, webshell access is always permitted (so you could modify the ftp.access and ftp.deny if you denied your own access by mistake).
If you have ftp-subusers defined, and they have a home directory different than the main ftp user, they will not be affected by ftp.allow and ftp.deny in your home dir. If you want to restrict their access, you need to place similar files in their home dirs.
Both ftp.allow and ftp.deny can contain one or more of the following lines
ALL: 1.2.3.4 -> this will match against the IP address 1.2.3.4
ALL: 1.2.3. -> this will match against anything that starts with 1.2.3.
ALL: 1.2.3.0/255.255.255.240 -> this will match against any IP in the range 1.2.3.0 – 1.2.3.15
ALL: ALL -> this will match everything and anything
Both ftp.allow and ftp.deny files MUST end with an empty line. Simple, right? Well, let’s see some scenarios that you may want to try:
Scenario 1: Block everything, except IP address 76.188.2.141 which is my home IP address, and IP range 12.44.215.0 – 12.44.215.255 which is the range of IPs that I have at the office (this are not the real IPs, I invented them for the purpose of this example)
The file ftp.allow should look like this:
ALL: 76.188.2.141 ALL: 12.44.215.0/255.255.255.0
This will specifically permit access from the said IP Address and range. Note the file ends with an empty line. Now, to deny everything else, we create a ftp.deny file that looks like this:
ALL: ALL
Again, make sure you have an empty line at the end of the file.
An extended version of this scenario would be to completely disallow ftp access, except for the webshell access, and then your ftp.allow file will only contain an empty line.
Scenario 2: Allow everything, except the IP addresses that you don’t like (maybe because it was your ex-webmaster that now is trying to hack your site, or because you noted there are hackers that are trying to break into your site from those ranges, or whatever reasons you may have). Say you want to allow everything but block IP ranges 8.0.0.0 – 8.255.255.255, 176.162.54.0 – 176.162.55.255, 212.35.128.64 – 212.35.128.95 and 213.1.2.4.
Your ftp.allow file will only contain an empty line. So nothing will match, and ftp.deny will be checked. Your ftp.deny file will look like this:
ALL: 8.0.0.0/255.0.0.0 ALL: 176.162.54. ALL: 176.162.55. ALL: 212.35.128.64/255.255.255.224 ALL: 213.1.2.4
Again, don’t forget the empty line at the end. An extended version of this scenario would be to allow everything (the situation you are in probably now). If that’s the case, you don’t need to do anything, not even to create this files.
If you have any questiosn, feel free to comment on this blog and I will gladly respond to your concerns.
/tibi
P.S.: Thank you Mike for spotting an error I made in the post. I corrected it now
juan antonio meca says:
the problem is for dinamics ip, how can i resolve that?
Link | Posted at 5:23 am EST
Tiberiu says:
Hello Juan,
If you have a dynamic IP address, the problem is very simple to solve. Actually, there are 2 options, and here are both of them:
* If you trust you will not be hacked by someone that uses same ISP that you do, you may call your ISP and ask them what are the IP ranges that are used for dynamic IP users in you area. Usually ISPs have a very clear geographical delimitation for their IP assignments (I know this because between 1998 and 2005 I worked for various ISPs, I work for this company since 2005 but I keep close contact with the last ISP I worked for). Once you know the IP ranges used by your ISP in your area, create the http://ftp.allow file with those IPs
* If you don’t trust your ISP, you may allow your existing IP address (you can find this IP address by going to various websites that report your IP, like http://www.whatismyip.com). When this IP changes, you log in via your control pannel, and using the webshell you change the IP address allowed to match your existing one (remember, webshell is ALWAYS allowed)
If you have anymore questions, do not hesitate to contact me.
Link | Posted at 9:56 pm EST
juan antonio meca says:
Hello:
Thank you for your anwser, is posibol put domain like xxxxxx.dyndns.com or only ip numbers.
Regards
Link | Posted at 3:16 am EST
juan antonio meca says:
Hello: i install de 19/07 the files http://ftp.allow and http://ftp.deny whit only my dinamycs ip en allow and deny all.
And the 21/07 i have new malicious code in my webs type <iframe src.
Only two days of peace.
Are you sure, this a great thing? or what can i do? It affects only to mys domains o to other customer?
Regards.
Link | Posted at 3:14 am EST
Tiberiu says:
Hello Juan,
I am pretty sure if you have the proper alow and deny files in your account that the “hacker” did not enter using ftp. The infection probably happened using a vulnerability in your site. Please open a ticket and I will go through the logs to see what i can find out for you (you can go through the logs too)
Link | Posted at 9:22 am EST
DarrenJ says:
Hi
I’m just testing this. Created the http://ftp.allow and http://ftp.deny files. I thought I’d deny everything ALL: ALL and allow nothing (blank line). Then, when I can’t ftp I’ll know it works and can go into the WebShell and allow my IP Address.
Unfortunately, I can’t bloke myself at all. No matter what I do or where I put the files I can still ftp straight in.
Any chance of some help? Where am I going wrong?
thanks
Darren
Link | Posted at 4:14 pm EST
Don says:
The http://ftp.allow/ link above does not work. I am having trouble determining how and where to place this file on my webshell.
Thank you
Link | Posted at 10:07 am EST
Tiberiu says:
Don, I will be more than happy to help you. Please open a ticket and put in the subject of the ticket “Attn Tibi”. I am very sure the ftp allow/deny combination of files works perfectly, we’ve tested it several times.
Link | Posted at 10:46 am EST
Tiberiu says:
Darren: The problem with your account is it is on a windows server. Unfortunately the allow/deny of ftp access does not work on Windows servers.
Link | Posted at 10:53 am EST
Mae says:
What program do you use to create the http://ftp.allow and http://ftp.deny files? Wordpad? it puts a .txt extension on the file.
html software? it puts an html extension on the file.
please tell me how to create the files.
Thanks.
Link | Posted at 3:49 pm EST
johann says:
@Mae,
Try saving the file with quotes around it and the extension. This should cause windows to accept it as is and not try to add an extension (which is usually helpful).
You can create the files directly with webshell and the editor in there will not try to force an extension on you.
Link | Posted at 5:21 pm EST
Sean says:
Is there anything like this for Windows-based hosting solutions? I’d like to restrict access, or at least generate a log of invalid FTP login attempts.
Link | Posted at 4:15 pm EST
Ishi says:
This method is working but what to do wth dynamic ip,s as everytime my isp give me new ip so my ftp dont work on every computer restart or after i disconet and conect to net.
So what to do now to work my ftp everytime when i connect net ?
Should every time when i connect internet i have to get my ip then go to webshel and delete old ip and add new ?
If yes then this method is not good, plz give some premanent solution and also my isp dont tell me ip range.
Link | Posted at 4:48 am EST
Dinesh B. says:
Is there a solution yet for windows platforms? Our website was hacked again! Hacker inserted iframe code at the bottom of a few pages. FTP logs shows that it connected from 127.0.0.1, which is from WebShell. Could it be HTTP code injection? There is nothing in the HTTP logs.
Link | Posted at 12:58 am EST
Mike says:
How would I allow IP addresses in the following range?
76.162.254.100 – 74.162.254.255
I thought I had it figured out, but was confused by the last example where for the allow range of:
212.35.128.64 – 212.35.128.95
you had:
ALL: 212.35.128.64/255.255.255.192
I thought the rule was to subtract the number from 255 that you wanted the range to be counted up from the first IP to the last IP listed. But in the last example, 255-192=63, and 64+63=127. So I thought the correct way to add that range would be:
ALL: 212.35.128.64/255.255.255.224
As I understood it, this would allow a count of 31 from x.x.x.64 to bring it up to x.x.x.95, since 255-224=31. Am I wrong or is this example wrong? And If I’m not grasping this, how did you come up with .192 to allow the range from .64 to .95?
Link | Posted at 8:51 pm EST
Mike says:
I just spoke to IX web hosting tech support and they told me there is actually no way to allow a range other than using the method where the last number of the IP address is blank to allow the range from 0-255. So I hope you respond to this soon, Tiberiu. Because from where I’m sitting right now, it looks like either you don’t know what you’re talking about, or IX web hosting tech support doesn’t.
Link | Posted at 9:47 pm EST
Tiberiu says:
Hello Mike,
You are correct, in part. The right netmask for a block of 32 IP addresses is 255.255.255.224. You also CAN NOT allow the range 76.162.254.100 – 76.162.254.255 in one line. You would need something like this:
76.162.254.100/255.255.255.252
76.162.254.104/255.255.255.248
76.162.254.112/255.255.255.240
76.162.254.128/255.255.255.128
Maybe this link can help you understand subnetting a little better: http://www.tech-faq.com/subnetting.shtml
Also, I will be correcting the post shortly.
Link | Posted at 11:16 pm EST
Nico says:
Can we move over and use SFTP instead? I’ve been getting hacked even though I changed my passwords. I think that FTP is too vulnerable with the password being sent in the clear.
Link | Posted at 7:38 am EST