| Linux Forum Index » Linux Networking » vsftpd... |
|
Page 1 of 1 |
|
| Author |
Message |
| Big Bill... |
 Posted: Thu Aug 06, 2009 12:33 pm |
|
|
|
Guest
|
Hi
vsftpd on a ubuntu 7.10 machine.
No anonymous loggin.
Is it possible to define time bands for transfers ?
i.e. transfers allowed from 9pm to 6 am only.
Thanks |
|
|
| Back to top |
|
|
|
| Allen Kistler... |
| Posted: Thu Aug 06, 2009 5:10 pm |
|
|
|
Guest
|
Big Bill wrote:
Quote: vsftpd on a ubuntu 7.10 machine.
No anonymous loggin.
Is it possible to define time bands for transfers ?
i.e. transfers allowed from 9pm to 6 am only.
Not intrinsically in vsftpd.
You could use cron to start and stop the service, plus kill any children
at stop time.
Or you could use the iptables time modules to block connections.
Dropping ESTABLISHED ones at stop time would require some special care. |
|
|
| Back to top |
|
|
|
| Big Bill... |
| Posted: Thu Aug 06, 2009 5:29 pm |
|
|
|
Guest
|
Hi Allen
I don't want to stop the service 'cause I use it when I'm away.
Iptables will block only known connections, suppose Joe gives his login
to his brother !?
There's a welcome banner_file that says that tfrs are only accepted from
9pm to 6am otherwise banished. But it's like income rules !!
I could limit the space on the server, or I could limit the size of
transfers but since it's something like a "family" server used for
exchanging images and videos of trips and the like, I just don't want to
end the ftp service.
If I could just block connections except mine during the day it should
be just perfect.
Allen Kistler a écrit :
Quote: Big Bill wrote:
vsftpd on a ubuntu 7.10 machine.
No anonymous loggin.
Is it possible to define time bands for transfers ?
i.e. transfers allowed from 9pm to 6 am only.
Not intrinsically in vsftpd.
You could use cron to start and stop the service, plus kill any children
at stop time.
Or you could use the iptables time modules to block connections.
Dropping ESTABLISHED ones at stop time would require some special care. |
|
|
| Back to top |
|
|
|
| Chris Cox... |
| Posted: Thu Aug 06, 2009 6:24 pm |
|
|
|
Guest
|
Big Bill wrote:
Quote: Hi
vsftpd on a ubuntu 7.10 machine.
No anonymous loggin.
Is it possible to define time bands for transfers ?
i.e. transfers allowed from 9pm to 6 am only.
Thanks
If you run vsftpd under xinetd then do a man on xinetd.conf and look for access_times. See if that helps. |
|
|
| Back to top |
|
|
|
| Allen Kistler... |
| Posted: Thu Aug 06, 2009 6:26 pm |
|
|
|
Guest
|
Big Bill wrote:
Quote: Allen Kistler a écrit :
Big Bill wrote:
vsftpd on a ubuntu 7.10 machine.
No anonymous loggin.
Is it possible to define time bands for transfers ?
i.e. transfers allowed from 9pm to 6 am only.
Not intrinsically in vsftpd.
You could use cron to start and stop the service, plus kill any
children at stop time.
Or you could use the iptables time modules to block connections.
Dropping ESTABLISHED ones at stop time would require some special care.
I don't want to stop the service 'cause I use it when I'm away.
I did say cron could start the service as well as stop it.
Quote: Iptables will block only known connections, suppose Joe gives his login
to his brother !?
iptables/netfilter would block *all* access (layer 3). Why do you think
netfilter cares about login IDs (layer 7)?
Quote: There's a welcome banner_file that says that tfrs are only accepted from
9pm to 6am otherwise banished. But it's like income rules !!
Yeah, income is nice, but I don't understand what it's got to do with
vsftpd.
Quote: I could limit the space on the server, or I could limit the size of
transfers but since it's something like a "family" server used for
exchanging images and videos of trips and the like, I just don't want to
end the ftp service.
Both of those things are good, but neither would implement time limits.
Quote: If I could just block connections except mine during the day it should
be just perfect.
So *you* want 24 hour access, but everybody else is 9pm to 6am? Why not
use scp yourself 24/7 and turn vsftpd on and off for everyone else?
Or you could set up two user_list/ftpusers files (which *is* a vsftpd
thing and a pam thing - see the other recent thread on vsftpd in this
group) and use cron to swap them at 9pm and 6am. One file allows only
you and one allows you and anyone else you want. It's kludgey and won't
kick off people who are already on at 6am, but it should work otherwise. |
|
|
| Back to top |
|
|
|
| Mark Hobley... |
| Posted: Fri Aug 07, 2009 11:08 am |
|
|
|
Guest
|
Big Bill <billlab951 at (no spam) gmail.com> wrote:
Quote: If I could just block connections except mine during the day it should
be just perfect.
Run the timed restricted service on the normal port, and have a second service
on a different port number that recognizes only your login that runs 24/7.
Mark.
--
Mark Hobley
Linux User: #370818 http://markhobley.yi.org/ |
|
|
| Back to top |
|
|
|
| Big Bill... |
| Posted: Fri Aug 07, 2009 5:30 pm |
|
|
|
Guest
|
Hi Mark
Mark Hobley a écrit :
Quote: Run the timed restricted service on the normal port, and have a second service
on a different port number that recognizes only your login that runs 24/7.
It's a good idea. But while I was talking with Allen, I found that I
forgot to consider the good ones, the ones who only make small xfers
during the day. These I don't want to flush them.
So it raises the difficulty a bit higher and that's why I proposed a
http transfer page. That way, only a little php programming and I will
reject all transfers that would take too long to complete.
I can catch the IP along with the loggin to decide if I accept or reject
the connection thus identifying a loggin sharing. Then, evaluate the
transfer size to accept the transfer during the day.
Public key, as said Allen, are a good protection but also it's easy to
tick the pwds so they don't last longer then a month. That way it shoud
discourage a lot of non-authorized loggers. At least I think. But I'm
not a pro in server administration. |
|
|
| Back to top |
|
|
|
|
