Problem using hosts.allow with vsftpd

Support for security such as Firewalls and securing linux
Post Reply
pdown85
Posts: 45
Joined: 2005/04/16 23:54:41
Location: UK

Problem using hosts.allow with vsftpd

Post by pdown85 » 2007/05/10 19:42:41

Linux CentOS 4.4 (2.6.9-42.0.10.EL)

Two issues. First more significant, the second an inconvenience more than anything.

1. VSFTPD rule and logging problem

I am seeking to use hosts.allow to allow/deny some application accesses to my Linux box. I have encountering a funny when trying to log attempted accesses to vsftpd.

Starting with something that is working flawlessly, here are the lines for sshd:

[code]
sshd: LOCAL \
123.123. .some-domain.com \
: spawn ( /bin/echo "`/bin/date` access GRANTED [process %d, server %H, address %a, client %h, info %c, username %u]" | \
tee -a /tmp/log/my-hosts-allow-allow-rule.log | \
/bin/mail -s "hosts.allow (sshd\:SELECTIVE) GRANTED rule triggered" name@valid-address ) & \
: allow

# catch all other attempts, deny access and log attempt
sshd: ALL \
: spawn ( /bin/echo "`/bin/date` access DENIED [process %d, server %H, address %a, client %h, info %c, username %u]" | \
tee -a /tmp/log/my-hosts-allow-deny-rule.log | \
/bin/mail -s "hosts.allow (sshd\:SELECTIVE) DENIED rule triggered" name@valid-address ) & \
: deny
[/code]

Both of these work perfectly logging the results to file and emailing the logs. The match on 123.123. (my office IP/domain) works.

Now for vsftpd:

[code]
vsftpd: ALL \
: allow
[/code]

This works perfectly; my SmartFTP client from an office PC logs straight in as expected.
But I want to log attempts to access vsftpd, so now the issue. I try:

[code]
vsftpd: LOCAL 192.168. \
123.123. .some-domain.com \
: spawn ( /bin/echo "`/bin/date` access GRANTED [process %d, server %H, address %a, client %h, info %c, username %u]" | \
tee -a /tmp/log/my-hosts-allow-allow-rule.log | \
/bin/mail -s "hosts.allow (vsftpd\:SELECTIVE) GRANTED rule triggered" name@valid-address ) & \
: allow
[/code]

These lines write out an "access" granted line to the tee'd log file and even successfully send the email of the log file (saying access is granted!), all as expected - but SmartFTP actually fails to logon, times out, re-tries, time-outs, repeating until the re-try limit is reached. Access is blocked. Remove the logging lines again ... and SmartFTP gets straight in as before.
What is happening here? The SSHD rule(s) prove the logging and emailing work fine, and the vsftpd: ALL test rules show SmartFTP can log on fine from the office PC. So why is the addition of the logging/emiling lines to the vsftpd rules causing FTP logon to fail?

I have noticed that for the sshd allow/deny rule the log file is written with permissions 0644.
When the vsftpd logging rule variant is applied the log file is written with permissions 0600. I cannot see why.

What is different about vsftpd? Is there something in the vsftpd configuration I am not setting?
Any suggestions welcome.

2) Second point, although not so much as an issue.

Regarding the line:

[code]
123.123. .some-domain.com \
[/code]

I find if I use:

[code]
123.123. \
[/code]

I get access with this fine.

But if I use:

[code]
.some-domain.com \
[/code]

I do not get a match and fail to logon.
So the match in the first line is because of the IP address and not the domain name. Why? I should get access matching on the rule for either (where I have double-checked both are valid), or am I misunderstanding something.

If you've read this far ... apologies for being rather long-winded!
TIA.

Post Reply

Return to “CentOS 4 - Security Support”