It seems the observed behaviour is almost as designed, and in order to
restrict access to localhost only, one needs to also set
SocketBindTight on
in addition to
DefaultAddress 127.0.0.1
After adding "SocketBindTight on", netstat shows
# netstat -tlpe
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
User Inode PID/Program name
tcp 0 0 localhost.localdoma:ftp *:* LISTEN
proftpd 2225685 1828/proftpd: (acce
and I can no longer connect remotely.
However, as per documentation at
http://www.proftpd.org/docs/directives/linked/config_ref_SocketBindTight.html
the intended behaviour for a server with "DefaultAddress 127.0.0.1" and
"SocketBindTight off" (the latter being the default setting) is to respond
with a "500 Sorry, no server available to handle request on xxx.xxx.xxx.xxx."
message on connecting to a different address than the default one. This was
not observed:
$ telnet server 21
Trying xxx.xxx.xxx.xxx...
Connected to server.
Escape character is '^]'.
220 ProFTPD 1.3.3a Server (Debian) [xxx.xxx.xxx.xxx]
user ftp
331 Anonymous login ok, send your complete email address as your password
pass foo@bar
230-Welcome, archive user f...@chimera.dc-uoit.net !
230-
230-The local time is: Thu May 12 11:55:29 2011
230-
230-This is an experimental FTP server. If you have any unusual problems,
230-please report them via e-mail to <root@localhost>.
230-
230 Anonymous access granted, restrictions apply
Regards,
adc
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
