Linux FTP access control In which configuration file can a Linux administrator list user accounts that are not allowed to log in via FTP service?

Introduction / Context:
FTP services on UNIX/Linux historically used a deny-list file to prevent certain user accounts from authenticating over FTP. This is important for hardening systems, as accounts such as root, daemon, or system service users should never have FTP access.

Given Data / Assumptions:

• Classic FTP daemons (e.g., wu-ftpd, vsftpd in some modes) recognize a local deny list.
• We need the specific file used to list users denied FTP access.
• System uses standard locations rather than custom builds.

Concept / Approach:
/etc/ftpusers traditionally contains a newline-separated list of usernames not permitted to log in via FTP. Although different FTP daemons may have additional files (like /etc/ftpaccess) for broader policy, /etc/ftpusers is the canonical deny list for user-based restrictions.

Step-by-Step Solution:
Recall that /etc/ftpusers is a deny list of accounts.Recognize that /etc/hosts.deny is part of TCP Wrappers, controlling host-level access, not specific FTP usernames.Note that /etc/ftpaccess configures broader FTP behaviors and permissions, not the simple deny list.Select /etc/ftpusers.

Verification / Alternative check:
Check your FTP daemon documentation. Many examples ship with /etc/ftpusers containing root, bin, daemon, and similar non-login accounts by default.

Why Other Options Are Wrong:
/etc/hosts.deny controls hosts via TCP Wrappers, not user lists./etc/ftpaccess provides general FTP configuration but not specifically the user deny list.All of the above cannot be correct because only one file is the standard deny list.

Common Pitfalls:

• Forgetting that vsftpd may also use /etc/vsftpd/user_list with allow/deny semantics; always check daemon-specific docs.
• Assuming disabling shell access also disables FTP; they are separate.
• Leaving sensitive accounts enabled by default.

Final Answer:
/etc/ftpusers