------------------------------------------------------------------------ ProFTPD module mod_wrap ------------------------------------------------------------------------ This module is contained in the contrib/mod_wrap.c file for ProFTPD 1.2.x, and is not compiled by default. It enables the daemon to use the common tcpwrappers access control library while in standalone mode, and in a very configurable manner. If not installed on your system, the TCP wrappers library, required by this module, can be found here, on Wietse Venema's site. Once installed, it highly recommended that the hosts_access(3) and hosts_access(5) man pages be read and understood. The installation of mod_wrap is fairly straightforward, with some caveats for Solaris and FreeBSD users. Many programs will automatically add entries in the common allow/deny files, and use of this module will allow a ProFTPD daemon running in standalone mode to adapt as these entries are added. The portsentry program does this, for example: when illegal access is attempted, it will add hosts to the /etc/hosts.deny file. tcpdmatch The most current version of mod_wrap can be found at: http://www.castaglia.org/proftpd/ Author Please contact TJ Saunders with any questions, concerns, or suggestions regarding this module. Thanks 2000-05-29: Thanks to David Douthitt for pointing out the usefulness of using mod_wrap in conjunction with portsentry 2001-03-01: Updated the configuration directives, as per lung at theuw.net's helpful suggestions. 2001-09-24: Thanks to Zenon Mousmoulas for helping determine that adding -lnsl would help in compiling mod_wrap with the stock RedHat libwrap.a, so that recompiling tcpwrappers without NIS/YP support should no longer be necessary. 2001-09-27: Thanks to Gabe Frost for helping track down several mergedown bugs. 2001-12-19: Thanks to Mark Castillo for pointing out the issue with passwords not being properly hidden Directives * TCPAccessFiles * TCPAccessSyslogLevels * TCPGroupAccessFiles * TCPServiceName * TCPUserAccessFiles ------------------------------------------------------------------------ TCPAccessFiles Syntax: TCPAccessFiles allow-filename deny-filename Default: None Context: server config, , Module: mod_wrap Compatibility: 1.2.1 and later TCPAccessFiles specifies two files, an allow and a deny file, each of which contain the IP addresses, networks or name-based masks to be allowed or denied connections to the server. The files have the same format as the standard tcpwrappers hosts.allow/deny files. Both file names are required. Also, the paths to both files must be the full path, with two exceptions: if the path starts with ~/, the check of that path will be delayed until a user requests a connection, at which time the path will be resolved to that user's home directory; or if the path starts with ~user/, where user is some system user. In this latter case, mod_wrap will attempt to resolve and verify the given user's home directory on start-up. The service name for which mod_wrap will look in the indicated access files is proftpd by default; this can be configured via the TCPServiceName directive. There is a built-in precedence to the TCPAccessFiles, TCPGroupAccessFiles, and TCPUserAccessFiles directives, if all are used. mod_wrap will look for applicable TCPUserAccessFiles for the connecting user first. If no applicable TCPUserAccessFiles is found, mod_wrap will search for TCPGroupAccessFiles which pertain to the connecting user. If not found, mod_wrap will then look for the server-wide TCPAccessFiles directive. This allows for access control to be set on a per-server basis, and allow for per-user or per-group access control to be handled without interfering with the server access rules. Example: # server-wide access files TCPAccessFiles /etc/ftpd.allow /etc/ftpd.deny # per-user access files, which are to be found in the user's home directory TCPAccessFiles ~/my.allow ~/my.deny See also: TCPGroupAccessFiles, TCPServiceName, TCPUserAccessFiles ------------------------------------------------------------------------ TCPAccessSyslogLevels Syntax: TCPAccessSyslogLevels allow-level deny-level Default: TCPAccessSyslogLevels info warn Context: server config, , , Module: mod_wrap Compatibility: 1.2.1 and later ProFTPD can log when a connection is allowed, or denied, as the result of rules in the files specified in TCPAccessFiles, to the Unix syslog mechanism. A discussion on the syslog levels which can be used is given in the SyslogLevel directive. The allow-level parameter sets the syslog level at which allowed connections are logged; the deny-level parameter sets the syslog level for denied connections. Example: TCPAccessSyslogLevels debug warn ------------------------------------------------------------------------ TCPGroupAccessFiles Syntax: TCPGroupAccessFiles group-expression allow-filename deny-filename Default: None Context: server config, , Module: mod_wrap Compatibility: 1.2.1 and later TCPGroupAccessFiles allows for access control files, the same types of files required by TCPAccessFiles, to be applied to select groups. The given group-expression is a logical AND expression, which means that the connecting user must be a member of all the groups listed for this directive to apply. Group names may be negated with a ! prefix. The rules for the filename paths are the same as for TCPAccessFiles settings. Example: # every member of group wheel must connect from restricted locations TCPGroupAccessFiles wheel /etc/ftpd-strict.allow /etc/ftpd-strict.deny # everyone else gets the standard access rules TCPGroupAccessFiles !wheel /etc/hosts.allow /etc/hosts.deny See Also: TCPAccessFiles ------------------------------------------------------------------------ TCPServiceName Syntax: TCPServiceName name Default: TCPServiceName proftpd Context: server config, , Module: mod_wrap Compatibility: 1.2.1 and later TCPServiceName is used to configure the name of the service under which mod_wrap will check the allow/deny files. By default, this is the name of the program started, i.e. "proftpd". However, some administrators may want to use a different, more generic service name, such as "ftpd"; use this directive for such needs. ------------------------------------------------------------------------ TCPUserAccessFiles Syntax: TCPUserAccessFiles user-expression allow-filename deny-filename Default: None Context: server config, virtual host Module: mod_wrap Compatibility: 1.2.1 and later TCPUserAccessFiles allows for access control files, the same types of files required by TCPAccessFiles, to be applied to select users. The given user-expression is a logical AND expression. Listing multiple users in a user-expression does not make much sense; however, this type of AND evaluation allows for expressions such as "everyone except this user" with the use of the ! negation prefix. The rules for the filename paths are the same as for TCPAccessFiles settings. Example: # user admin might be allowed to connect from anywhere TCPUserAccessFiles admin /etc/ftpd-anywhere.allow /etc/ftpd-anywhere.deny # while every other user has to connect from LAN addresses TCPUserAccessFiles !admin /etc/ftpd-lan.allow /etc/ftpd-lan.deny See also: TCPAccessFiles ------------------------------------------------------------------------ Installation Use of mod_wrap is straightforward, with some minor caveats. If you're using Solaris, you'll need to obtain and build the tcpwrappers library, as this library does not come installed on stock Solaris systems. If you're using FreeBSD-4.4-STABLE (and possibly other versions), you'll need to change the following line in the header of mod_wrap.c: * $Libraries: -lwrap -lnsl$ to be: * $Libraries: -lwrap$ This line is needed on Linux and Solaris machines, to properly link against the libnsl.a library, which implements the NIS/YP functions. In FreeBSD, these functions are implemented in libc. Then, you need simply follow the normal steps for using third-party modules in proftpd: ./configure --with-modules=mod_wrap make make install ------------------------------------------------------------------------ Author: $Author: castaglia $ Last Updated: $Date: 2002/05/12 23:22:16 $ ------------------------------------------------------------------------ © Copyright 2000-2002 TJ Saunders All Rights Reserved ------------------------------------------------------------------------