Some %$@#$>%$@#$#^& found/hacked/stole your FTP account password. Now what? Well, change it of course, but that might not be enough.
(Can you feel my self restraint in not actually swearing?)
Here is a simple method you can use to prevent anyone other than you from uploading or downloading files.
FTP.ALLOW
This is a simple text file you create that contains a list of allowed IP addresses. In other words, yours – both at home and work – but yours alone. It has the following syntax and does require one blank line after your instructions. (Please note, I am using bogus numbers rather than a real IP address, you will replace with yours)
ALL: 1.2.3.4
(intentional blank line)
Don’t know your IP? No problem. Just visit http://www.WhatIsMyIP.com and it will tell you your IP address. Have an IP address that changes from reboot to reboot? Again, no problem. Just add this to the line where you are defining your IP…
ALL: 1.2.3.0/255.255.255.0
(intentional blank line)
This will match against any IP in the range 1.2.3.0 – 1.2.3.255
If you have ftp-subusers defined, and they have a home directory different than the main ftp user, they will not be affected by ftp.allow and ftp.deny in your home dir. If you want to restrict their access, you need to place similar files in their home dirs.
FTP.DENY
This text file has the opposite effect. Have an IP address that is just slamming you? Ban them. Place their IP address in this text file and upload to your root, and they won’t be able to access any part of the FTP account. It has the same format as the allow file above.
ALL: 1.2.3.4
(intentional blank line)
So, let’s recap. Hackers are assholes (pardon my French). You have to take measures to keep them away from your precious data. Let’s look at two real life scenario’s.
Block everything, except IP address 76.188.2.141 which is my home IP address, and IP range 12.44.215.0 – 12.44.215.255 which is the range of IPs that I have at the office (again, these are not a real IP’s, I invented them for the purpose of this example)
The file ftp.allow should look like this:
ALL: 76.188.2.141 ALL: 12.44.215.0/255.255.255.0
(intentional blank line)
This will specifically permit access from the said IP Address and range. Note the file ends with an empty line. Now, to deny everything else, we create a ftp.deny file that looks like this:
ALL: ALL
(intentional blank line)
Again, make sure you have an empty line at the end of the file.
An extended version of this scenario would be to completely disallow ftp access, except for the webshell access, and then your ftp.allow file will only contain an empty line.
Allow everything, except the IP addresses that you don’t like (maybe because it was your ex-webmaster that now is trying to hack your site, or because you noted there are hackers that are trying to break into your site from those ranges, or whatever reasons you may have). Say you want to allow everything but block IP ranges 8.0.0.0 – 8.255.255.255, 176.162.54.0 – 176.162.55.255, 212.35.128.64 – 212.35.128.95 and 213.1.2.4.
Your ftp.allow file will only contain an empty line. So nothing will match, and ftp.deny will be checked. Your ftp.deny file will look like this:
ALL: 8.0.0.0/255.0.0.0 ALL: 176.162.54. ALL: 176.162.55. ALL: 212.35.128.64/255.255.255.224 ALL: 213.1.2.4
(intentional blank line)
Again, don’t forget the empty line at the end. An extended version of this scenario would be to allow everything (the situation you are in probably now). If that’s the case, you don’t need to do anything, not even to create these files.
I hope this little trick will help you defend your blog. Just writing about it will place me on the radar of the assholes with nothing better to do so I better go make sure all my ducks are in a row and my backups are current.