proftpd的各用户如何限制ip的访问

lijiangt

debian woody+proftpd
用户1:所有ip均可访问
用户2:仅限192.168.*.*,202.200.*.*访问。
请问如何实现？

faint

<Limit LOGIN>
Order allow,deny
Deny from ip1/mask2
Deny from ip2/mask2
Deny from all
</Limit>

lijiangt

最初由 faint 发表
<Limit LOGIN>
Order allow,deny
Deny from ip1/mask2
Deny from ip2/mask2
Deny from all
</Limit>

有点问题吧？
应该是这样吧？
<Limit LOGIN>
Order allow,deny
Allow from all
Deny from ip1/mask2
Deny from ip2/mask2
</Limit>

如果要实现我要求的那个功能应该是这样吧：
<Directory /home/usr1>
<Limit LOGIN>
Order allow,deny
Allow from all
</Limit>
</Directory>

<Directory /home/usr2>
<Limit LOGIN>
Order allow,deny
Allow from all
Deny from ip1/mask2
Deny from ip2/mask2
</Limit>
</Directory>

lijiangt

1. 
   
2. # This is a basic ProFTPD configuration file (rename it to
   
3. # 'proftpd.conf' for actual use.  It establishes a single server
   
4. # and a single anonymous login.  It assumes that you have a user/group
   
5. # "nobody" and "ftp" for normal operation and anon.
   
6. 
   
7. ServerName                      "Bupticet's FTP server,powered by Proftpd on Debian linux"
   
8. ServerIdent                     On "Bupticet's FTP server,powered by Proftpd on Debian linux"
   
9. ServerType                      standalone
   
10. DeferWelcome                    off
    
11. #ServerIdent                    Off
    
12. 
    
13. ShowSymlinks                    on
    
14. MultilineRFC2228                on
    
15. DefaultServer                   on
    
16. ShowSymlinks                    on
    
17. AllowOverwrite                  on
    
18. RequireValidShell               off
    
19. AllowForeignAddress             on
    
20. #PassivePorts           20000 30000
    
21. 
    
22. TimeoutNoTransfer               600
    
23. TimeoutStalled                  600
    
24. TimeoutIdle                     120
    
25. 
    
26. MaxInstances                    250
    
27. DisplayLogin                    welcome.msg
    
28. DisplayFirstChdir               .message
    
29. LsDefaultOptions                "-l"
    
30. 
    
31. DenyFilter                      \*.*/
    
32. 
    
33. # Uncomment this if you are using NIS or LDAP to retrieve passwords:
    
34. #PersistentPasswd               off
    
35. 
    
36. # Port 21 is the standard FTP port.
    
37. Port                            21
    
38. 
    
39. # To prevent DoS attacks, set the maximum number of child processes
    
40. # to 30.  If you need to allow more than 30 concurrent connections
    
41. # at once, simply increase this value.  Note that this ONLY works
    
42. # in standalone mode, in inetd mode you should use an inetd server
    
43. # that allows you to limit maximum number of processes per service
    
44. # (such as xinetd)
    
45. MaxInstances                    30
    
46. MaxClientsPerHost               5
    
47. 
    
48. # Set the user and group that the server normally runs at.
    
49. User                            nobody
    
50. Group                           nogroup
    
51. DefaultRoot ~
    
52. # Normally, we want files to be overwriteable.
    
53. 
    
54. <Directory "/home/silver/*">
    
55. <Limit LOGIN>
    
56. Order deny,allow
    
57. Allow from 0.0.0.0/0.0.0.0
    
58. </Limit>
    
59. </Directory>
    
60. 
    
61. <Directory "/home/resin/*">
    
62. <Limit LOGIN>
    
63. Order deny,allow
    
64. Deny from 0.0.0.0/0.0.0.0
    
65. Allow from 202.204.15.0/255.255.255.0
    
66. Allow from 202.204.14.0/255.255.255.0
    
67. Allow from 192.168.199.0/255.255.255.0
    
68. Allow from 192.168.200.0/255.255.255.0
    
69. </Limit>
    
70. </Directory>
    
71. 
    
72. <Directory /*>
    
73.   Umask                         022  022
    
74.   AllowOverwrite                on
    
75. </Directory>
    
76. 
    
77. # A basic anonymous configuration, no upload directories.
    
78. 
    
79. ## <Anonymous ~ftp>
    
80. ##   User                               ftp
    
81. ##   Group                              nogroup
    
82. ##   # We want clients to be able to login with "anonymous" as well as "ftp"
    
83. ##   UserAlias                  anonymous ftp
    
84. ##
    
85. ##   RequireValidShell          off
    
86. ##
    
87. ##   # Limit the maximum number of anonymous logins
    
88. ##   MaxClients                 10
    
89. ##
    
90. ##   # We want 'welcome.msg' displayed at login, and '.message' displayed
    
91. ##   # in each newly chdired directory.
    
92. ##   DisplayLogin                       welcome.msg
    
93. ##   DisplayFirstChdir          .message
    
94. ##
    
95. ##   # Limit WRITE everywhere in the anonymous chroot
    
96. ##   <Directory *>
    
97. ##     <Limit WRITE>
    
98. ##       DenyAll
    
99. ##     </Limit>
    
100. ##   </Directory>
     
101. ##
     
102. ##   # Uncomment this if you're brave.
     
103. ##   # <Directory incoming>
     
104. ##   #   # Umask 022 is a good standard umask to prevent new files and dirs
     
105. ##   #   # (second parm) from being group and world writable.
     
106. ##   #   Umask                          022  022
     
107. ##   #            <Limit READ WRITE>
     
108. ##   #            DenyAll
     
109. ##   #            </Limit>
     
110. ##   #            <Limit STOR>
     
111. ##   #            AllowAll
     
112. ##   #            </Limit>
     
113. ##   # </Directory>
     
114. ##
     
115. ## </Anonymous>
     
116. 
     

复制代码

以上是我的配置文件，但还是不能限制ip范围，那两段配置好像根本不起作用。。。

lijiangt

改成这样也还是不行：
<Directory "/home/silver/*">
<Limit LOGIN>
Order allow,deny
Allow from 0.0.0.0/0.0.0.0
</Limit>
</Directory>

<Directory "/home/resin/*">
<Limit LOGIN>
Order allow,deny
Allow from 202.204.15.0/255.255.255.0
Allow from 202.204.14.0/255.255.255.0
Allow from 192.168.199.0/255.255.255.0
Allow from 192.168.200.0/255.255.255.0
Deny from 0.0.0.0/0.0.0.0
</Limit>
</Directory>

attiseve

Limits flow downward, so that a Limit configuration in the server config context applies to all <Directory> and <Anonymous> blocks that also reside in the configuration; until it is overridden by a "lower" <Limit> block.

是不是下面的那个Limit把上面的那个覆盖掉了？

lijiangt

我觉得应该不是这个问题吧？？？