When you login into your FTP account, before you are allowed to log in, the ftp daemon searches in your home directory for a file called “ftp.allow” to see if your IP address is specifically allowed to log in. In order to find out what you IP is go to: http://www.whatismyip.com If the file is found, and your IP address is permitted, no other checks are performed. If your IP address is not found in the list of allowed IPs, or the file is not found, the daemon searches for a file called “ftp.deny”, to see if your IP address is specifically denied. If the IP address you’re trying to connect to matches one of the entries in ftp.deny (which can be ALL: ALL  that denies everything that was not already permitted), the access will be denied with the message “530 User ‘username’ denied by access rules”. If the file is not found, or if your IP address doesn’t match anything, your access will be permitted. In addition to that, webshell access is always permitted (so you could modify the ftp.access and ftp.deny if you denied your own access by mistake).

If you have ftp-subusers defined, and they have a home directory different than the main ftp user, they will not be affected by ftp.allow and ftp.deny in your home dir. If you want to restrict their access, you need to place similar files in their home dirs.

Both ftp.allow and ftp.deny can contain one or more of the following lines

ALL:  1.2.3.4 -> this will match against the IP address 1.2.3.4
ALL: 1.2.3. -> this will match against anything that starts with 1.2.3.
ALL: 1.2.3.0/255.255.255.240 -> this will match against any IP in the range 1.2.3.0 – 1.2.3.15
ALL: ALL -> this will match everything and anything

Both ftp.allow and ftp.deny files MUST end with an empty line. Simple, right? Well, let’s see some scenarios that you may want to try:

Scenario 1: Block everything, except IP address 76.188.2.141 which is my home IP address, and IP range 12.44.215.0 – 12.44.215.255 which is the range of IPs that I have at the office (this are not the real IPs, I invented them for the purpose of this example)

The file ftp.allow should look like this:

 ALL:   76.188.2.141
 ALL:   12.44.215.0/255.255.255.0

This will specifically permit access from the said IP Address and range. Note the file ends with an empty line. Now, to deny everything else, we create a ftp.deny file that looks like this:

 ALL:   ALL

Again, make sure you have an empty line at the end of the file.

An extended version of this scenario would be to completely disallow ftp access, except for the webshell access, and then your ftp.allow file will only contain an empty line.

Scenario 2: Allow everything, except the IP addresses that you don’t like (maybe because it was your ex-webmaster that now is trying to hack your site, or because you noted there are hackers that are trying to break into your site from those ranges, or whatever reasons you may have). Say you want to allow everything but block IP ranges 8.0.0.0 – 8.255.255.255, 176.162.54.0 – 176.162.55.255, 212.35.128.64 – 212.35.128.95 and 213.1.2.4.

Your ftp.allow file will only contain an empty line. So nothing will match, and ftp.deny will be checked. Your ftp.deny file will look like this:

 ALL:   8.0.0.0/255.0.0.0
 ALL:   176.162.54.
 ALL:   176.162.55.
 ALL:   212.35.128.64/255.255.255.224
 ALL:   213.1.2.4

Again, don’t forget the empty line at the end. An extended version of this scenario would be to allow everything (the situation you are in probably now). If that’s the case, you don’t need to do anything, not even to create this files.