| FTP access is not something you should enable lightly. Although it's crucial for your users to have access to FTP for uploading files (such as web pages) to your server, it's also a potential source of security issuesit's a clear-text mechanism, meaning that all data (including passwords) is transmitted unencrypted and available to anybody eavesdropping with packet-sniffing software. As you'll learn in Chapter 30, most major clear-text services can be superseded by a secure equivalent: Telnet with SSH, HTTP with Secure HTTP, and POP3 and IMAP with their own built-in encryption layers. FTP, however, is inherently insecure, and although several secure solutions have been put forth (such as the sftp command built into the OpenSSH package), unencrypted FTP holds out as the last widely used insecure data-transfer protocol, difficult to replace and a virtual requirement for a fully functional server. Many modern FTP client applications can support secure FTP, but it's still not built into the basic FTP mechanisms in Windows and Mac OS X, so traditional unencrypted FTP is still a widely demanded service for most users. You learn more about how to secure FTP at the end of this chapter and in Chapter 30; meanwhile, be aware that special care must be taken when enabling FTP access to your users to ensure your system's security. With this in mind, you need a way to lock out certain users from being able to connect to the system via FTP. This can be done in a number of ways. The two most convenient involve the /etc/ftpusers and /etc/shells files. A third, /var/run/nologin, controls whether the server accepts connections at all. The /etc/ftpusers FileThe simplest way to forbid a certain individual user (or a group of users) from connecting to the FTP server is to add that user's login name to the /etc/ftpusers file, which exists in the default FreeBSD installation and contains the names of the various system pseudousers (such as operator, bin, tty, and so on). These users have null passwords, and ftpd will not allow anyone with a null password to connect anyway; but keeping these usernames in /etc/ftpusers, which rejects them explicitly by name, provides an extra layer of security. You can add any username to the file, and because ftpd reads all relevant configuration files with each new connection, there's no need to restart any processes. Try connecting to the FTP server as a disallowed user, and you should get a response similar to the following: # ftp localhost Connected to localhost.example.com. 220 stripes.example.com FTP server (Version 6.00LS) ready. Name (localhost:frank): 530 User frank access denied. ftp: Login failed. ftp>Note The access denied message appears immediately after the server receives the usernameit doesn't prompt for a password. This prevents passwords from being sent over the wire, providing an extra security precaution in the case where you've disabled a user out of concern regarding an eavesdropper sniffing for passwords. You can also add any group name to /etc/ftpusers; simply precede the name with an "at" (@) symbol (for example, @users). Any user who is part of any group listed in the file will be disallowed access. The /etc/shells FileAfter seeing whether the user is listed in /etc/ftpusers, ftpd checks the shell associated with the user and sees whether it's listed in /etc/shells. If it isn't, the user will get the same kind of access denied message as with /etc/ftpusers. You can leverage this functionality to prevent a user from logging in with a terminal program or with FTP by changing the user's shell to /sbin/nologin (which you saw in Chapter 9it simply prints out an account not available message and exits, and it's not listed in /etc/shells) or something similarly constructed. The /var/run/nologin FileTo turn off FTP logins completely, without modifying /etc/inetd.conf or any other such config files, you can simply place a file called nologin in /var/run. If ftpd sees this file, it will respond to all connections as follows: # ftp localhost Connected to localhost.example.com. 530 System not available. ftp>You can enter touch /var/run/nologin to create the file (with zero length) and disable FTP logins. Remove the file (rm /var/run/nologin) to reenable the FTP server. |