Using Alternative FTP Servers

Many alternative FTP server packages exist; the three most popular are Washington University's WU-FTPD, the highly secure vsftpd, and the highly configurable ProFTPD. Both of these packages provide features that are not available in the default FTP server, including extremely flexible configurability and extra security measures.

WU-FTPD

Originally developed at Washington University to host the WUarchive (once one of the most popular file-sharing and distribution locations on the Internet), WU-FTPD has gained in popularity to become the most frequently used FTP server in the world, even though its development has stagnated in recent years and a number of serious security problems plague it. It was the default FTP daemon in Linux and many commercial UNIX brands for many years, until it was replaced with vsftpd.

WU-FTPD's configuration differs from FreeBSD's default ftpd in a few subtle ways, and it has a few features that the default ftpd does not, such as a configuration-checking tool, on-the-fly compression and archiving, and limitations on access and transfers by time and date. You might choose to install WU-FTPD to maintain compatibility with an existing non-FreeBSD system.

WU-FTPD is available as a package or in the ports (/usr/ports/ftp/wu-ftpd). After installing it, you can switch to it from the FreeBSD ftpd by commenting out the ftp line in /etc/inetd.conf and replacing it with one that points to the new ftpd:

ftp    stream   tcp    nowait   root    /usr/local/libexec/ftpd ftpd -l #ftp   stream   tcp    nowait   root    /usr/libexec/ftpd       ftpd -l

Tip

WU-FTPD is installed as /usr/local/libexec/ftpd, and its man page can't be accessed directly with man ftpdyou'll get the page for the default system ftpd. To see the correct page, use the -M option to use an alternate man path, like so:

man -M /usr/local/man ftpd

More information on WU-FTPD is available at http://www.wu-ftpd.org.

vsftpd

A server with the stated purpose of being Very Secure (hence the name), vsftpd is the FTP server of choice for most modern Linux distributions. It's endorsed by the SANS Institute as the most secure FTP solution available, as well as being the server of choice for the FTP distribution sites of most major Linux distributions and the FreeBSD FTP server itself, ftp.freebsd.org.

Because vsftpd is very small and self-contained, it uses a single configuration file/usr/local/etc/vsftpd.confand only one or two external user list files that you specify in the main configuration file. This does not, however, mean that it's lacking in features; indeed, it contains many of the advanced features that only very extensive servers such as ProFTPD offer, such as virtual hosts, virtual users, bandwidth throttling, transfer limitations, and so on. It runs as a standalone daemon rather than out of inetd.

More information on vsftpd can be found at http://vsftpd.beasts.org.

ProFTPD

ProFTPD was developed with the intention of creating an FTP server that could be managed with configuration files that resembled those of the Apache web server. ProFTPD's config file has hierarchical configuration blocks like those in httpd.conf (as you saw in Chapter 26) and directives that are similar in style to those of Apache. The result is a server that has very Apache-like access-limitation features as well as a high level of configurability, especially for administrators familiar at all with Apache. It's available as a package or from the ports (/usr/ports/ftp/proftpd).

One difference between ProFTPD and its relatives is that it can be run in standalone mode, like Apache, rather than from inetd. If you do run it from inetd, replace the default ftp line with one pointing to /usr/local/libexec/proftpd:

ftp    stream  tcp     nowait   root     /usr/local/libexec/proftpd      proftpd #ftp   stream  tcp     nowait   root     /usr/libexec/ftpd       ftpd -l

The ProFTPD home page, http://www.proftpd.org, has much more information on ProFTPD's capabilities (such as its support for the secure FTPs protocol, which few others offer) and configuration directives.

Secure FTP (sftp)

The clear-text nature of FTP presents a problem. Although many users (especially those who rely on the built-in utilities in their desktop operating systems) still use traditional unencrypted FTP for transferring files, uploading web pages, and so on, this means that their critical user information (login names and passwords) are susceptible to interception by a third party with a packet sniffer.

There is, however, an encrypted alternative to FTP: sftp, which is part of the OpenSSH package installed by default as a part of FreeBSD. If you enabled SSH connections during the initial installation of FreeBSD, secure FTP communications are available without any further configuration on your part.

Clients can use the sftp command (built into FreeBSD, Linux, Mac OS X, and elsewhere) on the command line, or its graphical equivalent in any of the many GUI-based FTP client applications, to open an encrypted connection to your server. This connection invokes the /usr/libexec/sftp-server program on the server side, and from that point on the sftp session is functionally the same as a regular FTP session.

Configuring secure FTP, however, is done through the /etc/ssh/sshd_config file, which controls aspects of the SSH server, through which sftp operates. You'll use this file to present login banners and lock out users in the same manner as you would control access to the SSH daemon itself, and anonymous FTP access is not allowed over the secure channel. The activation and configuration of SSH is further described in Chapter 30.