Basic FTP Server Configuration

Once you've installed an FTP server package, you'll want to get it running. As a general rule, distributions that use WU- FTPD run it from a super server, while those that use ProFTPd run it from a SysV startup script. You can change these options if you like, though. On most distributions, getting the server to run is the only configuration option to which you must attend for basic functionality, because the default configurations work well for many purposes. Specifically, the default configuration allows users with accounts on the system to log in and transfer files to and from their home directories. You may need to alter these configurations if you want to have FTP serve some other role, or if you want to adjust configuration defaults. One common FTP server configuration ”anonymous FTP ”is covered in the upcoming section, "Setting Up an Anonymous FTP Server." The default configuration often at least comes close to handling this role.

Running the FTP Server

Consult Chapter 4, Starting Servers, for detailed information about running servers from a super server, SysV startup scripts, and local startup scripts. If you're using an FTP server package that shipped with your distribution, chances are you'll need to make few or no changes to get the server to run. There are a few caveats you should consider, though:

• Some distributions that use inetd ship with an /etc/inetd.conf file that includes separate entries for the different FTP servers. You may be able to install multiple FTP servers and switch between them by commenting out the inetd.conf entry for the server you don't want to use and restarting inetd . If you install only one FTP server, you must be sure to uncomment only the entry for the appropriate server. If you uncomment the wrong entry, your FTP server won't work.

• Most distributions that use xinetd include a file in /etc/xinetd.d to start the FTP server. This file is part of the FTP server package. This file probably includes a line that reads disable = yes , which has the effect of disabling the FTP server configuration. This entry exists as a security measure; it forces you to actively change the entry to read disable = no in order to run the FTP server. (You must also restart xinetd to have this change take effect.)

• Whether run from inetd or xinetd , FTP servers can accept parameters. The standard configuration files include appropriate parameters for typical installations using the FTP servers that ship with the distribution. If you want to use a different FTP server, you may need to adjust the parameters that are passed to the server, as well as the server's filename, in your super server configuration file.

If your FTP site is extremely popular, you might want to run your FTP server via a SysV or local startup script. Doing so will produce slightly quicker responses to incoming FTP requests , but FTP servers are small enough that this effect is fairly minimal. A few installations, such as Debian's and Mandrake's ProFTPd installations, run in this way by default, perhaps because ProFTPd most easily supports anonymous FTP when it's run as a standalone server.

Before proceeding with further configuration, you may want to check that the FTP server is working for conventional authenticated logins (that is, using a username/password pair). At the very least, the server should respond with some sort of login prompt when you try to use an FTP client from a remote host. For instance, consider the following exchange, using the basic Linux ftp program:

 $  ftp harding.threeroomco.com  ftp: connect: Connection refused 

This indicates that the FTP server isn't running at all. If you get this response, you should check your system log files for clues about why the server isn't running. If you just installed the server, you must remember to start it running or restart your super server. Once you've gotten a response out of the server, you can continue to fine-tune its configuration.

WU-FTPD Configuration

Configuring WU-FTPD requires editing one or more of several configuration files. Using these files, you can control who may access the FTP server and what users can do with the server. Some files also set up special options that permit WU-FTPD to process files or execute advanced commands for users.

WU-FTPD Configuration Files

Most distributions that use WU-FTPD place its configuration files directly in /etc . There are several WU-FTPD configuration files, and their names all begin with ftp :

• ftpaccess ” This is the most complex WU-FTPD configuration file, and is described in more detail shortly. It's used to set logging options, permissions used by anonymous access, low-level TCP/IP options, and so on.

• ftpconversions ” One of the features you can activate in ftpaccess is the ability to automatically compress files or archive directories prior to transmission to the client. To use this feature, you must define file types to be archived or compressed in this file.

• ftphosts ” You can limit the hosts and even users who may access your FTP server by using this file. Lines that begin with allow explicitly allow the specified hosts, and those that begin with deny explicitly deny the specified hosts. For instance, deny sjones prevents the user called sjones from using FTP, and deny badsite. pangaea .edu prevents all users from badsite.pangaea.edu from logging in.

• ftpusers ” This file contains a list of local users who aren't allowed to use the WU-FTPD server. This file operates through the Pluggable Authentication Module (PAM) system; it's technically not part of WU-FTPD. Nonetheless, it can be a useful way to protect your FTP server from abuse. The default version of this file contains various system account names, such as root , nobody , and daemon . You can add more such account names if you need to create them for other servers or for special purposes.

• ftpservers ” Normally, WU-FTPD presents the same options to all clients . You can use this file to specify an entirely separate configuration for specified hosts, though. Each line in this file is an IP address, hostname, or domain name followed by a directory name . WU-FTPD then looks to the specified directory for the normal FTP configuration files if a connection request comes from the specified client. For instance, 192.168.21.8 /etc/ftpd/trusted causes WU-FTPD to look in /etc/ftpd/trusted for other configuration files if 192.168.21.8 makes a connection. Thus, you might create a default configuration with tight controls on who may use the system, but loosen those restrictions for specified clients, such as those on your local network.

Each of these files can be important in implementing particular FTP server configurations. The most important file for most options is ftpaccess , but ftphosts , ftpusers , and ftpservers can be useful in securing your server. If you want WU-FTPD to process files it transfers, ftpconversions is the one to modify, possibly in conjunction with ftpaccess .

Common WU-FTPD Configuration Options

Many WU-FTPD configuration options are built around the concept of a user class. This is a logical grouping of users, similar in some ways to a Linux group . WU-FTPD classes are defined in terms of the source IP address or hostname of the client, though. You set up a class in ftpaccess by using the class option, which takes the following form:

 class  classname  typelist  addresslist  

The components of this definition are as follows :

• classname ” This is a name for the class. The default configuration for many distributions defines a class called all , but you can change or expand upon this definition.

• typelist ” This is a comma-separated list of the types of local accounts or access types to which the class applies: real for local user accounts, guest for guest accounts, and anonymous for anonymous accounts.

• addresslist ” This is a list of IP addresses, hostnames, or domain names that belong to the class. Preceding an entry with an exclamation mark ( ! ) causes that entry to not be included in the list. An asterisk ( * ) stands for all clients. If you include multiple entries, they're combined with a logical OR operation. For instance, threeroomco.com , pangaea.edu creates a class for clients in either domain.

The standard ftpaccess file includes a definition similar to the following:

 class  all  real,guest,anonymous  * 

This entry sets up a default generic class that applies to all types of access and assigns all callers to this class. To fine-tune your configuration, you might create multiple classes, such as one for local users and one for remote users. Even if the class entries are identical except for the addresslist , you can use them differently in subsequent options. Some of these additional options include the following:

• deny addresslist messagefile ” This option tells WU-FTPD to deny all access to the specified addresses. It's similar to a deny specification in ftphosts , but you can specify a filename that's to be sent to the host as a rejection notice so that users know why they weren't allowed in.

• autogroup groupname class [, class ...] ” You can have WU-FTPD perform a setgid operation to groupname if a member of a specified class logs in. You might do this to allow anonymous members of the class to read files for which groupname has read access, but for which world read access doesn't exist.

• defumask umask class [, class ] ” This option tells WU-FTPD to create files with the specified umask for members of a specified class , when a user uploads a file.

• timeout option seconds ” You can set various timeout values with this option. The option value may be accept , connect , data , idle , maxidle , or rfc931 .

• noretrieve [relativeabsolute] [class= classname ] filenames ” This option tells WU-FTPD to disallow transfer of the specified filenames. If a specified filename is actually a directory name, the entire directory is restricted. You may optionally limit this option to a specified class. The relative and absolute parameters refer to whether the file specifications are interpreted as absolute (relative to the computer's true root directory) or relative to a chroot environment, as described in Chapter 23, Configuring a chroot Jail. By default, filenames beginning with a slash ( / ) are interpreted as absolute. An example of this option might be noretrieve /etc /usr , which prevents transfer of any files in the /etc or /usr directories.

TIP

You may want to use noretrieve to disallow access to /etc/passwd , /etc/shadow , /etc/ftpaccess , core (in any directory), and any other sensitive site-specific files.

• allowretrieve [relativeabsolute] [class= classname ] filenames ” This option is an explicit counter to noretrieve ; it grants exceptions to a noretrieve rule. Its syntax is identical to that of noretrieve .

• message filename [ when ] [ class ] ” This option lists a file to be displayed to the FTP client under certain circumstances. Specifically, if when is login , the message is displayed as soon as the user logs in. If when is cwd= dir , where dir is a particular directory, then the message is displayed when the user moves into that directory. You may optionally limit this message to certain classes of users by adding the class name to the end of the option. As an example of this option in use, consider message .message cwd=* . This causes WU-FTPD to send the contents of the .message file in a directory whenever a user changes into that directory. This allows you to create banner messages describing the contents of particular directories, or the purpose of the FTP server as a whole.

• compress [yesno] class [, class ] ” You can enable compression using this option. If a file exists and a user requests a file of that name but with an extra filename extension that indicates compression added (such as file.gz rather than file ), then WU-FTPD will compress the original file and send it to the user. The extensions that indicate compression are specified in the ftpconversions file.

• tar [yesno] class [, class ] ” This option works much like compress , but it applies to creating tar files from directories. You can use this feature to provide a simple way for users to retrieve entire directories worth of files.

• chmod , delete , overwrite , rename , and umask ” These options all take yes or no followed by a typelist , as described earlier with reference to class definition. (You can also use an existing class name.) When specified, these options permit or deny use of the named FTP command by the client. For instance, delete no guest,anonymous configures WU-FTPD to forbid guest and anonymous users from deleting files.

• dns refuse_mismatch filename ” If a forward DNS lookup on the hostname obtained from a reverse DNS lookup on the client's IP address doesn't match the original IP address, this option causes WU-FTPD to deny the connection. First, though, it displays the specified filename so that the user knows something is wrong.

• dns refuse_no_reverse filename ” This option causes WU-FTPD to refuse a connection if there's no reverse DNS lookup on the client's IP address. WU-FTPD sends filename to the offender to explain the refusal.

These are only a few of the most common and useful WU-FTPD options. Consult the ftpaccess man page for more. The upcoming section, "WU-FTPD Anonymous Options," describes some that are of particular interest if you want to set up an anonymous FTP site.

ProFTPd Configuration

ProFTPd's configuration style is inspired by that of Apache, so if you're familiar with Apache configuration, you'll find many of ProFTPd's option names and the general configuration style quite familiar.

ProFTPd Configuration Files

The main ProFTPd configuration file is proftpd.conf , and it's usually stored in /etc . You set most ProFTPd options in this file. Some lines in this file are comments, which begin with pound signs ( # ) and continue to the end of the line. Most noncomment lines take the following form:

  Directive  [  Value  ] 

A few directives accept multiple values as options. Some directives are grouped together, as indicated by surrounding directives in angle brackets ( <> ), such as the following grouping:

 <Limit WRITE>   DenyAll   Allow from 172.21.33. </Limit> 

The closing directive for the group uses a slash ( / ) to indicate that it's the end of that block of directives.

In addition to the main configuration file, ProFTPd uses the ftpusers file. ProFTPd uses this file in the same way as WU-FTPD uses the file of the same name. Specifically, ProFTPd blocks the usernames listed in the file from being used as FTP login usernames. (More precisely, ProFTPd relies upon PAM for authentication, and PAM uses ftpusers to determine who is not allowed access to the FTP server.) Default ProFTPd installations generally include ftpusers files that list common system usernames, such as nobody , daemon , and root . You should probably add any system accounts you create for unusual servers to this list. You can also enter ordinary usernames, if those users should not have FTP access to the system.

Common ProFTPd Configuration Options

ProFTPd supports a wide range of configuration directives. These are detailed in the official ProFTPd documentation, available at http://www.proftpd.org/docs/. Chances are you don't need to use all of these options, though.

First, it's necessary to know something of the different types of directives that set up context blocks. Many directives apply only within certain context blocks, so knowing what these blocks are can be extremely important. The most common blocks are as follows:

• <Anonymous dirname > ” You can create an anonymous FTP site by using this directive, in which you specify directives that apply to anonymous FTP access, distinct from normal username/password access. Anonymous users will be able to access files only within the specified dirname ; ProFTPd does a chroot to this directory, as described in Chapter 23.

• <Directory dirname > ” You specify a directory to which a set of directives will apply with this option. As you might expect, dirname is the directory name. This name must normally be specified in an absolute sense ”that is, with a leading slash ( / ). Default ProFTPd configuration files often include a block headed by <Directory /*> to specify the default behavior for all directories.

• <Global> ” The <Global> directive block sets options that apply globally to the main server configuration and all <VirtualHost> configurations.

• <Limit command-group > ” This option specifies a set of FTP client commands whose actions are to be limited according to the directives that follow this option. The command-group is a set of one or more FTP commands, such as CWD , CDUP , MKD , RNFR , RNTO , DELE , RMD , RETR , and STOR . Special grouping commands include READ (all read commands), WRITE (all writing commands), DIRS (all directory- related commands), and ALL (all commands). You can also use LOGIN to limit login access.

• <VirtualHost address > ” ProFTPd can apply different directives depending upon how it's addressed by using this option. You can specify an address as an IP address or hostname, and when ProFTPd answers calls to that address, it uses the directives included within its block.

Most directives can be used within one or more of the preceding blocks, and many can be used outside of any block as global options. If a directive appears globally and within a directive block (or in two nesting locations within nested blocks), the more nested instance overrides the more global instance when the blocking condition applies. The more common and useful directives include the following:

• Allow [from] network- specifier ” This directive is used within a <Limit> block to specify what clients may access the resource in question. In particular, network-specifier is a comma-delimited list of IP addresses, hostnames, domain names (preceded by a period), IP blocks (followed by a period), or the keywords all or none . You may include from after Allow , but its use is optional and purely cosmetic; it doesn't affect the function of the directive.

TIP

If possible, use IP addresses or IP blocks rather than hostnames or domain names. This reduces the FTP server's reliance upon the DNS server for this security function, thus making it more difficult to break into the FTP server.

• AllowAll ” ProFTPd implicitly allows access to directories, but this behavior can be overridden in various ways. You may use AllowAll in a <Directory> , <Limit> , or <Anonymous> block to restore the default allowed access.

• AllowGroup group-list ” You can permit access to areas in a <Limit> block to particular groups with this directive. The group-list is a comma-separated list of groups, and a user must be a member of all the listed groups to pass this test. If a group name is preceded by an exclamation mark ( ! ), its sense is reversed , so you can allow users who are not members of that group. This option is often used to override a denying directive that would otherwise block access, such as DenyAll .

• AllowOverwrite [onoff] ” You can allow users to overwrite existing files with this directive. The default is off , which denies overwriting rights.

• AllowUser user-list ” This directive allows you to override a denying directive in order to give a specific user or set of users access to a resource that's been explicitly denied to others. If a username is preceded by an exclamation mark ( ! ), all users except that one are permitted access.

• DefaultRoot dirname [ group-list ] ” You can tell ProFTPd to lock a user into a specified directory tree by specifying its name with this option. The dirname must begin with either a slash ( / ) for an absolute directory or a tilde ( ~ ) for the user's home directory. You can have this directive apply to only some users by specifying an appropriate group-list , which is like the list in AllowGroup .

TIP

You can prevent users from wandering into others' directories, or into system directories, by including a DefaultRoot ~ directive as a global option. When so configured, ProFTPd allows users to access only files within their home directories.

• DefaultTransferMode [asciibinary] ” FTP provides two common transfer modes. Binary transfers the file exactly as-is, but ASCII provides for conversion between text file formats. Most commonly, UNIX-, DOS-, and Macintosh-style end-of-line characters are converted in an ASCII transfer. Although ASCII transfers can be convenient for text files, they're disastrous for binary files, which are corrupted when transferred using ASCII mode. ProFTPd lets you set the default transfer mode with the DefaultTransferMode directive. This directive defaults to ascii .

• Deny [from] network-specifier ” This directive is the opposite of Allow ; it blocks clients from accessing a resource within a <Limit> block.

• DenyAll ” You can use this directive within a <Limit> , <Anonymous> , or <Directory> block to deny all users access to the specified resource. You might want to follow it with some specific allow options to loosen the restrictions for particular users.

• DenyGroup group-list ” This directive allows you to specify a group that's to be denied access in a <Limit> block. The group-list is defined the same way as in the AllowGroup directive.

• DenyUser user-list ” This directive works like AllowUser , except that it blocks access to a resource specified by <Limit> , rather than enabling access.

• DisplayConnect filename ” ProFTPd displays filename when the user connects, but before a logon is complete, if you use this directive.

• DisplayFirstChdir filename ” This directive causes ProFTPd to display the contents of filename the first time a user moves into a directory. This often defaults to .message , which causes the .message file in the target directory to be displayed to users.

• DisplayLogin filename ” This directive is much like DisplayConnect , but its message appears after a user has successfully logged in.

• Group groupid ” When run as a standalone server, ProFTPd starts up as root , but changes identity as quickly as possible to minimize the security risk of a server running as root . You set the group to which it changes with this directive. Many default configurations set the group to nogroup , ftp , or some other low-privilege group.

• MaxClients number none ” You can limit the number of clients that may log in with this directive. If you specify a number (such as 30 ), that's the limit; none is a code that disables this feature.

• MaxInstances number ” This directive is similar to MaxClients in that both limit the number of connections ProFTPd accepts. MaxInstances , though, works on connections, rather than successful logins as MaxClients uses. MaxInstances is ineffective if you launch ProFTPd from a super server, but super servers provide similar functionality themselves .

• Order allow,denydeny,allow ” When both allow and deny directives appear in a <Limit> block, ProFTPd checks all allow directives, then all deny directives by default. The result is that the allow directives take precedence, and any access that's not explicitly denied is allowed. You can use Order deny,allow to change this ordering, giving deny directives precedence and making denial the default behavior.

• RootLogin onoff ” By default, ProFTPd denies access to root as a security measure. You can change this behavior by setting RootLogin on . (You may also need to adjust other features, such as removing root from /etc/ftpusers .)

• ServerIdent onoff [" ident-string "] ” This directive tells ProFTPd whether to identify itself when users connect. If set to on , you can specify an identification string. The default configuration usually identifies the server as being ProFTPd, which may be more information than you care to make readily available, so changing this string is advisable.

• ServerName "ident-string" ” This directive sets part of the name used by the default ServerIdent directive. You can override both with ServerIdent alone, but if you want to make a more modest change, you can alter ServerName alone.

• ServerType inetdstandalone ” You must set this directive correctly for your configuration. If you run ProFTPd through a super server, set ServerType to inetd ; if you run the server from a SysV or local startup script, use standalone . This tells ProFTPd whether to expect to be run as an ordinary user and service requests directly ( inetd ) or to be run as root, spawning processes to handle specific connections ( standalone ).

• SyslogLevel emergalertcriterrorwarnnotice info debug ” This directive sets the verbosity of ProFTPd's logging information. emerg is least verbose, debug is most verbose, and the others fall in between.

• TransferLog filename NONE ” You can specify a log file to hold information on file transfers, or disable this feature by specifying NONE . You can set this option to create multiple log files for different purposes by using it independently in <Anonymous> , <VirtualHost> , <Global> , and the general ( ungrouped ) configuration areas.

• Umask file-mask [ directory-mask ] ” This directive specifies the umask to be used when creating new files (and, if specified, directories). The default is usually 022 , which is reasonable for many systems.

• UseFtpUsers onoff ” You can turn off ProFTPd's use of the /etc/ftpusers file by setting UseFtpUsers off . The default value is on .

• UserAlias alias username ” ProFTPd normally uses the username provided during the login process as the username for authentication. You can create aliases, though, which are treated just like the specified username. For instance, UserAlias rjones ronald causes any login attempt as rjones to be authenticated against the ronald user account. (This configuration is common for anonymous access, which often uses the ftp account internally.)

These directives, and others not described here, combine to give ProFTP a great deal of configurability. Most installations create a standard login ability, so that users may log in and access their own files. There may also be a standard <Anonymous> section to support anonymous logins, which ignore the password and so may be used by anybody. The anonymous configuration may require a few additional changes, as well as placement of files to be accessed by anonymous users, to be useful.