How To Send System Message To FTP Clients via TCP Wrapper

From recent posts, granting access (allow and deny) restrictions to particular services is a good additional security practice anybody could use of nowadays. There are some system admins that prefer sending system message or account status when denying access to particular clients or hosts.

Sending service message or service system status to particular hosts or group of hosts can lessen on-site technical phone calls during scheduled system maintenance works while making connecting clients informed and be reminded of your service message.

Send System Message to FTP Clients via TCP Wrapper

Step One

Backup and modify /etc/hosts.allow to reflect the below similar lines. Assuming that VsFTPd daemon service is running as current FTP server.

vsftpd: 83.83.83.83 :  twist /bin/echo "220 %h FTP account has expired, please renew."

vsftpd: 192.168.100.100 :  twist /bin/echo "220 %h has been banned, go away!"

vsftpd: 192.168.100.10 :  twist /bin/echo "220 %h We are on scheduled maintenance, try later. Thanks"

The above instructs TCP wrapper to deny access to

83.83.83.83

192.168.100.100

192.168.100.10

Each has separate log message to be sent to the connecting clients.

Save and exit.

No restart is needed from any daemon services. Portmap and Rpcbind daemon services are not required to be enabled from this setup.

Step Two

Verify changes with your host access restrictions via TCP wrapper. Using a separate linux host

# telnet domain.com 21

# ftp domain.com

Alternatively, from a separate windows host, launch your FTP client software and verify the message by connecting to domain.com as an example.

A similar output would be

Trying domain.com...
Connected to domain.com
Escape character is '^]'.
220 We are on scheduled maintenance, come back later.
Connection closed by foreign host.

This would work out right from RedHat, CentOS, White OS and Fedora boxes.

All is done