Setting IP Access Rules in Serv-U - KB Article #1069Related Articles --
Serv-U allows administrators to allow and restrict access to Serv-U based on the IP address that a user connects from - this can be a powerful tool in enforcing security requirements or creating secure extra-nets that allow access to business partners or third party suppliers. However, it also requires understanding of the use of IP access rules and the expressions that can be used to define them.
There are several places where IP address rules are entered. They can be entered at the user, group, domain, or server level, and apply appropriately to a single user, members of a group, members of a domain, or all users of a server. When defining these rules, there are special characters that define masks that apply to groups of IP addresses.
To enter an IP Access rule, the administrator must navigate to one of the following menus and click the "Add" button:
- User Properties | IP Access
- Group Properties | IP Access
- Domain Details | IP Access
- Server Details | IP Access
Allow vs Deny IP Access Rules
There are two types of IP Access rules: "Allow" and "Deny". "Deny" rules are simpler to understand so we will cover them first.
A "Deny" IP Access rule defines an IP address, or a range of addresses that are not allowed to connect to Serv-U (or to log on using a certain user account). When a "Deny" rule is configured, Serv-U will deny connections from "Denied" addresses, but allow connections from all other hosts. This is most commonly seen when a server is under attack by an automated password-guessing utility, and is covered in the next section. Rules can also be set up for IP ranges that are known to host malware and pose a threat. These rules are optional for security, but remember that as long as you choose secure passwords for your users the chance of a dictionary attack being successful is very small.
An "Allow" rule is more complex. Whereas a "Deny" rule only blocks specific IP addresses, an "Allow" rule instead explicitly allows connections only from specific IP addresses and denies all other connections by adding an implicit "deny-all" rule to the end of the list. This "deny-all" will not be visible in the list, but it is implied since an "Allow" rule indicates that you will be explicitly stating all users who may connect.
The "Allow" rule, then, requires more planning and care than a "Deny" rule. Using "Allow" rules effectively allows you as an administrator to restrict incoming connections to only IP address ranges that you trust, which may be only internal IP addresses or perhaps your IP range and that of a partner. If you configure IP Access rules and find that you can no longer connect to Serv-U, it is usually because an "Allow" rule was added incorrectly, and all that is necessary is to configure it so your IP range is part of the trusted IP addresses.
Special Characters In IP Access Rules
There are three special characters: the asterisk (star) "*", question mark "?", and the hyphen "-". These wildcards function as follows:The * (Asterisk (Star)) character
The - (Hyphen) character
A star functions as a wildcard for checking the IP-address. Any name or number will match that section of the rule if it is a star.
For example, say all IP-numbers in a company look like 134.56.34.xxx with "xxx" being any number. To restrict access to the FTP server to other members of the company only, create an "allow" rule that looks like this:
Likewise, if unwanted users have IP-numbers in the range 168.76.xxx.xxx, they can be restricted from a server with a "deny" rule, such as:Deny: 168.76.*.*
The "allow" rule at the end is to allow all people in who passed the first "deny" rule. Without it no one would be allowed access to the server. Remember, whenever there is even a single access rule users will only be allowed into the server if they qualify for an "allow" rule.
IP-names may also be used in access rules. IP-name rules work in a similar fashion as IP-numbers. For example, to keep all users from a particular university out of the server, set up the following two rules:Deny: *.univerisityx.edu
The ? (Question mark) character
The hyphen is used to denote a range of numbers, so it can only be used for IP-numbers. Simply separate the starting and ending values by a hyphen.
For example, assume that users that need access have IP-numbers 22.214.171.124, 126.96.36.199 and 188.8.131.52. Three "allow" rules could be defined, each with one of these numbers. However, a faster way to do this is to make a single "allow" rule like this:
The special characters "*" and "-" don't need to be at the end of the IP-numbers, any place will do. The rule 221.*.76-154.89 is perfectly OK.
The question mark is for IP-names only, to match any single character.IP name rules
In Serv-U it is possible to use IP-Name rules in access control lists. This means that you can specify a domains such as google.com as a Deny rule and deny access to anyone coming from a Google IP address. For this to work, the PTR record of the IP addresses assigned to the persons attempting to connect must resolve to the domain names you are attempting to allow or deny access to.
There is one more side effect of IP-name rules. When FTP Serv-U starts, it does not know if there are any IP access rules that need an IP-name lookup, and searching all possible rules is prohibitive. Doing a reverse IP-name lookup is computationally slow and can take any amount of time (FTP Serv-U has a hard-coded limit of one minute for this), while the FTP client has to wait until the lookup is done. So, by default it does not do reverse-DNS lookups to determine the IP-name of the FTP clients that connect to the server. This means the first time an IP access rule is encountered that needs an IP-name, the user will be bounced (since no name is available at that point). However, once this happens the server switches strategies and does an IP-name lookup every time a user connects.
NOTE 1: To enter an IP Access rule in Serv-U 6.x or previous, navigate to << Local Server >> | Domains | Settings | IP Access for domain-level configuration, or << Local Server >> | Domains | YourDomain | Users | User1 | IP Access for user-level configuration.
NOTE 2: If an IP Access rule is configured at the user level, but "Always allow login" is also checked, the user will always be able to log in regardless of the IP Access rule being created.