Problem in denying FTP for particular users in RHEL 7 and CentOS 7


Am not able to deny FTP access for specific users in Red Hat 7. But my procedure work in Red Hat 6 version. I used following procedure.

in my hosts.deny configuration

#vim /etc/hosts.deny

then i restarted my ftp server

systemctl vsftpd restart

when i try to for ftp access


Still access permitted .


The reason for this is, that denyhosts only works with iptbales and under CentOS 7 the default firewall is firewalld. If you are looking to use denyhosts then you must revert to ipables from firewalld or you should use fail2ban tool to achieve this task…


How to revert to ipables from firewalld in RHEL 7 ?


Switching from Firewlld to iptables, a little bit bit long process, but if you want to achieve the same you can do it with firewalld too. For example, to block FTP access to particular IP address, you can use following firewalld rule to block

 # sudo firewall-cmd --zone=public --add-rich-rule 'rule family="ipv4" source address="" port port=22 protocol=tcp reject'

For more such examples of firewalld can be found at:


Where i can get the long process procedure? Any documents or links?


Give me if you have any link or document to switching from firewalld to iptables in RHEL7/CentOS,


Here is the long process into short manner: Switching from Firewalld to Iptables in CentOS 7

1. First make sure to backup your existing firealld rules, before making a switch to iptables:

$ sudo iptables -S | tee ~/firewalld_iptables_rules
$ sudo ip6tables -S | tee ~/firewalld_ip6tables_rules

2. Next install the iptables-services package from the default CentOS repository

$ sudo yum install iptables-services

The above iptable package will install systemd files that used to manage iptables service and also it will write some default iptables and ip6tables configuration files to the /etc/sysconfig directory.

3. Next disable firewalld service

$ sudo systemctl mask firewalld
$ systemctl stop firewalld

4. Now enable iptables service.

$ sudo systemctl enable iptables
$ systemctl enable ip6tables
$ systemctl start iptables
$ systemctl start ip6tables

5. Now install TCP wrapper called xinetd to manage hosts.allow and hosts.deny files to block and allow certain Ports…