10.5. Additional Settings

Previous page
Table of content
Next page

10.5. Additional Settings

So far, I have been considering only the ftpaccess configuration file. But you already know that more than one file is used to configure the wu-ftp server. Take a look at them.

10.5.1. Prohibiting Access to Real Users

Because wu-ftp server uses operating system accounts, which are stored in the /etc/passwd file, any real user can automatically work with the FTP server using his or her account and access rights. However, far from all users need this capability.

To prohibit real users from accessing the FTP server, their names should be added to the /etc/ftpusers file. Listing 10.3 shows the contents of the file. Depending on the distribution, the contents may vary.

Listing 10.3: The contents of the /etc/ftpusers file
image from book 
 # The ftpusers file is deprecated. # Use deny-uid/deny-gid in ftpaccess. root bin daemon adm lp sync shutdown halt mail news uucp operator games nobody
image from book
 

Note that the root user is prohibited access. This is because the administrator has too many rights and if hackers highjack this account, they will obtain complete control over the system. Never allow high-privileged users (administrators and administrator group users) access the FTP server.

If you have to work with files and directories that belong to the administrator, do not do this using the FTP server. The best way to edit such files is directly at the computer. Or you can download the files into your directory and then edit them locally or remotely using a secure terminal.

The best policy would be to prohibit FTP access to all system accounts whose ID is less than 500. This can be done by adding the following entry to the ftpaccess file: 

 deny-uid %-500

This way, you can be sure that you don't forget to restrict access to someone especially if there is more than one user that has the same ID number (for example, 0).

10.5.2. Computers Are Not Allowed

Great administrator wisdom states that a firewall helps those who help themselves . A firewall prohibits access to the server to certain ports from specific computers. The /etc/ftphosts configuration file performs a similar function: It prohibits or allows access from the specified IP addresses or an entire network.

By default, the file is empty, because the software developers cannot know how you intend to go about organizing access. You can enter the following directives into the file: 

 allow name template deny name template

For example, if you want to deny anonymous users access from address 192.168.1.1, add the following line to the file: 

 deny anonymous 192.168.1.1

According to the "everything not permitted is prohibited" principle, it may seem that the deny directive is not necessary. This is a wrong way of thinking, because a certain type of users has to be allowed access from the specified address and then all other users must be prohibited access to the FTP server.

10.5.3. Grouping

The ftpgroups file contains descriptions of the groups allowed to use the SITE GROUP and SITE GPASS commands when created. These are nonstandard FTP directives, which few developers support; consequently, users may find working with these commands too in- convenient .

The ftpgroups files contain entries similar to the following: 

 test:ENCRYPTED PASSWORD HERE:archive

The description line contains three colon -separated parameters: group name, password, and real (system) group name.


Previous page
Table of content
Next page
Hacker Linux Uncovered
Hacker Linux Uncovered
ISBN: 1931769508
EAN: 2147483647
Year: 2004
Pages: 141
Authors: Michael Flenov
BUY ON AMAZON
CISSP Exam Cram 2
Java for RPG Programmers, 2nd Edition
Excel Scientific and Engineering Cookbook (Cookbooks (OReilly))
C & Data Structures (Charles River Media Computer Engineering)
Google Maps Hacks: Tips & Tools for Geographic Searching and Remixing
Programming Microsoft ASP.NET 3.5
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy