I'm using vsftpd which is being controlled by inetd.
I have a user that I want to only be able to connect from one specific IP address on the same internal network so I can backup files on a separate system.
Is this possible with TCP wrappers? I got the notion that it was because of a few posts on the web in other places.
Namely:
Reading through the TCP Wrappers documentation, it doesn't make mention of usernames being present in other hosts.allow or hosts.deny. Is this wrong? Or am I going about this the wrong way?
I'm not too clear on how tcpd would tell the difference between users either, since it would seem to happen before it hands over the connection! Some of its documentation hints about IDENT protocol or RFC931, which could mean having to do custom configuration on the client not just the server. And that probably assumes the username on the client machine matches what they want to login as in the first place.
All in all it would be much better to do it cleanly inside vsftp, but that doesn't look possible either! It does have per-client configuration settings, cheerfully ignored whenever they specify limits on things already happened -- like specifying an IP to connect from. Its user allow/deny list cannot specify IP addresses either, it's just a dumb text file of one user per line.
If you absolutely have to use vsftpd, you might need to set up a separate daemon for that one user, restricted to some internal subnet. Or, if the user's not internal, over some VPN.
I kept reading after I posted and pretty much found that out too.
As far as setting up a seperate ftp daemon goes: I think there would be too little pay off for that much work and usage of cpu cycles.
The whole point of this was to backup the MySQL database directories in /var/lib/mysql this way we could have both a dumped backup of the database, and a hard copy that we could easily just replace the ones that were present with.
I think we'll just stick with a redundant backup of dumped databases, because it's easier to secure MySQL than to secure FTP.
Oh and one more thought... PAM couldn't be configured to do something like that?
I believe redhat at one point added proprietary extensions to PAM to do that. These were ill-received and I'm not sure if they're still there. Checking incoming IP address for a login process isn't as obvious as it appears at first blush.