Block FTP Access Using Firewall

Block FTP access using the IPtables(Default system firewall)

1) If you want to completely disable the FTP access on the server then run the command :

ROOT@SERVER[#] IPTABLES -A INPUT -P TCP –DPORT 21 -J DROP

2) If you want to block FTP access for a Specific IP then run the below command :

ROOT@SERVER[#] IPTABLES -A INPUT -P TCP -S 10.10.10.10 –DPORT 21 -J DROP

3) If you want to Disable FTP access for Specific Subnet then run the below command :

ROOT@SERVER[#] IPTABLES -I INPUT -P TCP -S 10.10.10.10/24 –DPORT 21 -J DROP

After adding the adding rules you need to save the rules by running the command :

ROOT@SERVER[#] /ETC/INIT.D/IPTABLES SAVE

Then to apply the above saved rules , restart the IPtables by running the command :

ROOT@SERVER[#] /ETC/INIT.D/IPTABLES RESTART

Block FTP access using the CSF firewall

1) If you want to completely disable the FTP access on the server then follow the steps :

ROOT@SERVER[#] VI /ETC/CSF/CSF.CONF

SEARCH FOR THE LINES :
# ALLOW INCOMING TCP PORTS
TCP_IN =
AND REMOVE THE PORT 21 FROM THE LIST
SAVE AND QUIT .

And then restart the CSF firewall using the below command :

ROOT@SERVER[#] CSF -R

2) If you want to block FTP access for a Specific IP then follow the below steps :

ROOT@SERVER[#] VI /ETC/CSF/CSF.DENY

AND ADD THE LINE :
TCP:IN:D=21:S=10.10.10.10

SAVE AND QUIT

And then restart CSF firewall using the below command :

ROOT@SERVER[#] CSF -R

3) If you want to allow FTP access for only one ip on the server and denied for all other ips
follow the steps :

ROOT@SERVER[#] VI /ETC/CSF/CSF.CONF

THEN SEARCH FOR THE LINE :
# ALLOW INCOMING TCP PORTS
AND THE REMOVE THE PORTS : 21 AND 22

AND ALSO SEARCH FOR THE LINE :

# ALLOW OUTGOING TCP PORTS
AND REMOVE THE PORTS : 21 AND 22

Save and quit

Then open the csf.allow file

ROOT@SERVER[#] VI /ETC/CSF/CSF.ALLOW
AND ADD THE ENTRY AS :

TCP:IN:D=21:S=10.10.10.10

Save and Quit.

And then restart the CSF service

ROOT@SERVER[#] CSF -R

Note : Replace the IP 10.10.10.10 with the Actual IP.

Add a Comment

Your email address will not be published. Required fields are marked *