Submit a ticketCall us

Looking to compare latest NPM features with previous versions of NPM?
The NPM new feature summary offers a comparison of new features and improvements offered with this release.


Home > Success Center > Serv-U Managed File Transfer & Serv-U FTP Server > Serv-U File Server Administrator Guide > Server overview > IP access rules

IP access rules

Created by Anthony.Rinaldi, last modified by Anthony.Rinaldi on Jul 20, 2016

Views: 24 Votes: 0 Revisions: 3

IP access rules restrict login access to specific IP addresses, ranges of IP addresses, or a domain name. IP access rules can be configured at the server, domain, group, and user levels.

IP access rules are applied in the order they are displayed. In this way, specific rules can be placed at the top to allow or deny access before a more general rule is applied later on in the list. The arrows on the right side of the list can be used to change the position of an individual rule in the list.

Specifying IP access masks

IP access rules use masks to authorize IP addresses and domain names. The masks can contain specific values, ranges, and wildcards made up of the following elements.

Value or wildcard Explanation
xxx Stands for an exact match, such as (IPv4), fe80:0:0:0:a450:9a2e:ff9d:a915 (IPv6, long form) or fe80::a450:9a2e:ff9d:a915 (IPv6, shorthand).
xxx-xxx Stands for a range of IP addresses, such as (IPv4), fe80:0:0:0:a450:9a2e:ff9d:a915-a9aa (IPv6, long form), or fe80::a450:9a2e:ff9d:a915-a9aa (IPv6, shorthand).
* Stands for any valid IP address value, such as 192.0.2.*, which is analogous to, or fe80::a450:9a2e:ff9d:*, which is analogous to fe80::a450:9a2e:ff9d:0-ffff.
? Stands for any valid character when specifying a reverse DNS name, such as server?
/ Specifies the use of CIDR notation to specify which IP addresses should be allowed or blocked. Common CIDR blocks are /8 (for 1.*.*.*), /16 (for 1.2.*.*) and /24 (for 1.2.3.*). CIDR notation also works with IPv6 addresses, such as 2001:db8::/32.


Specific IP addresses listed in Allow rules will not be blocked by anti-hammering. These IP addresses are white-listed. However, addresses matched by a wildcard or a range are subject to anti-hammering prevention.

Implicit deny all

Until you add the first IP access rule, connections from any IP address are accepted. After you add the first IP access rule, all connections that are not explicitly allowed are denied. This is also known as an implicit Deny All rule. Make sure you add a Wildcard Allow rule (such as Allow *.*.*.*) at the end of your IP access rule list.

Matching all addresses

Use the *.*.*.* mask to match any IPv4 address. Use the *:* mask to match any IPv6 address. If you use both IPv4 and IPv6 listeners, add Allow ranges for both IPv4 and IPv6 addresses.

DNS lookup

If you use a dynamic DNS service, you can specify a domain name instead of an IP address to allow access to users who do not have a static IP address. You can also specify reverse DNS names. If you create a rule based on a domain name or reverse DNS, Serv-U performs either a reverse DNS lookup or DNS resolution to apply these rules. This can cause a slight delay during login, depending on the speed of the DNS server of the system.

Rule use during connection

The level at which you specify an IP access rule also defines how far a connection is allowed before it is rejected. Server and domain level IP access rules are applied before the welcome message is sent. Domain level IP access rules are also applied when responding to the HOST command to connect to a virtual domain. Group and user level IP access rules are applied in response to a USER command when the client identifies itself to the server.


You can set up an anti-hammering policy that blocks clients who connect and fail to authenticate more than a specified number of times within a specified period of time. You can configure an anti-hammering policy server-wide in Server Limits and Settings > Settings and domain-wide in Domain Limits and Settings > Settings.

IP addresses blocked by anti-hammering rules appear in the domain IP access rules with a value in the Expires in column. If you have multiple domains with different listeners, blocked IP addresses appear in the domain that contains the listener. Blocked IP addresses do not appear in the server IP access list, even if anti-hammering is configured at the server level.

The Expires in value of the blocked IP address counts down second-by-second until the entry disappears. You can unblock any blocked IP address early by deleting its entry from the list.


IP access list controls

The following options are available on the IP Access page.

Using the sort mode

You can sort the IP access list numerically rather than in the processing order. Displaying the IP access list in sort mode does not change the order in which rules are processed. To view rule precedence, disable this option. Viewing the IP access list in numerical order can be useful when you review long lists of access rules to determine if an entry already exists.

Importing and exporting IP access rules

You can export and import Serv-U IP access rules from users, groups, domains, and the server by using a text-based .csv file. To export IP access rules, view the list of rules to export, click Export, and specify the path and file name you want to save the list to. To import IP access rules, click Import and select the file that contains the rules you want to import. The .csv file must contain the following fields, including the headers:

  • IP: The IP address, IP range, CIDR block, or domain name for which the rule applies.
  • Allow: Set this value to 0 for Deny, or 1 for Allow.
  • Description: A text description of the rule for reference purposes.

Examples of IP address rules

Office-only access

A contractor has been hired to work in the office, and only in the office. Office workstations have IP addresses in the range of - The related Serv-U access rule should be Allow, and it should be added to either the user account of the contractor or a Contractors group that contains multiple contractors. No deny rule is required because Serv-U provides an implicit Deny All rule at the end of the list.

Prohibited computers

Users should normally be able to access Serv-U from anywhere, except from a bank of special internal computers in the IP address range of - The related Serv-U access rules should be Deny, followed by Allow *.*.*.*, and these rules should be added to either the domain or the server IP access rules.

DNS-based access control

The only users allowed to access a Serv-U domain connect from * or * The related Serv-U access rules should be Allow * and Allow * in any order, and these rules should be added to the domain IP access rules. No deny rule is required because Serv-U provides an implicit Deny All rule at the end of the list.

Last modified
08:45, 20 Jul 2016