This page describes how to setup TCP wrappers (tcpd) to limit access to the raw ftpd server. Most unixes come with tcpd installed, but you can also get it from Wietse Venema's site.
raw-ftp stream tcp nowait root /usr/sbin/wu.ftpd wu.ftpd -l -i -a -t0To interpose tcpd between inetd and ftpd, change the line to look like this (depending on where your tcpd lives):
raw-ftp stream tcp nowait root /usr/sbin/tcpd wu.ftpd -l -i -a -t0This means that inetd will first run tcpd, and then tcpd can choose to either exec(2) ftpd (if the client passes the access controls) or simply close the connection (if the client fails the access controls).
Note: You need to send the HUP signal to the inetd process to cause it to re-read its configuration files. See kill(1).
In /etc/hosts.deny:It's not sufficient to allow only localhost (127.0.0.1) because sftpd contacts ftpd on the same interface it was itself contacted on.# by default, nothing can connect to the raw ftpd server # (this assumes you're using wu-ftpd; change the daemon name to # the argv name of whatever you're in fact using) wu.ftpd : ALLand in /etc/hosts.allow:# allow local processes (in particular, sftpd) to connect to the # raw ftpd server; replace 220.127.116.11 with your IP address(es) wu.ftpd : 18.104.22.168, 127.0.0.1
Note that when tcpd denies a connection, it does so by first accepting the connection, waiting about 3 seconds, then closing it. This might be confusing to users, since the connection initially appears to succeed.