How do i configure proftpd to only listen to connections on 127.0.0.1? If i set
DefaultAddress localhost
in /etc/proftpd/proftpd.conf
and restart proftp i'm still able to login from another computer...
is this the wrong option? Or ist this just a stupid use case and no one but me would ever need such functionalty?!?
To get proftpd to listen only on localhost, you would use both DefaultAddress and SocketBindTight, like so:
DefaultAddress localhost
SocketBindTight on
By default, proftpd will listen on all interfaces for a given port (e.g. "*:21"). The SocketBindTight directive tells proftpd to bind "tightly" to the address/socket, rather than using a wildcard socket (resulting in e.g. "127.0.0.1:21").
Did you try using 127.0.0.1 instead of localhost. Maybe /etc/hosts has something strange in there.
Failing that, the ProFTPd FAQ suggests using the Allow and Deny options, or run it from xinetd, or enable the tcp wrappers module and set that up.
Or of course you could use iptables.
It doesn't look like there's an option inside the configuration file. This is one way to do it, which will also allow you to filter by username (using PAM):
Create a file called /etc/security/proftpd.conf containing the following lines:
+ : ALL : 127.0.0.1
+ : ALL : localhost
- : ALL : ALL
The + means allow, the second column is the username, and the third column is the hostname of the incoming connecion. So, for example, + : john : 127.0.0.2 will allow john to connect from 127.0.0.2. A - denies them.
Next, modify /etc/pam.d/proftpd to add the following somewhere near the top (I make it the first line after session) to make it read the new file:
auth required pam_access.so accessfile=/etc/security/proftpd.conf
It should take effect immediately without the need for a service restart.
