Creating an Anonymous FTP Server

It is not difficult to create an anonymous FTP server. However, there are details involved in securing that server. When the server is properly configured, users won t be able to get above the base FTP directory, /var/ftp , and certainly not to the root ( / ) directory. The default Red Hat FTP configuration is based on the vsFTP server.

This section shows you how to create a basic anonymous-only FTP server. It can work with vsFTP or the WU-FTP servers. You can customize the configuration further using many of the settings described later in this chapter.

Configuring vsFTP

Once the appropriate packages are installed, you ll need to activate the service. Assuming you re using vsFTP, you d run the service vsftpd start command. Remember to use the appropriate chkconfig command (see Chapter 13 ) to make sure vsFTP is active the next time you start Linux.

As discussed earlier, the vsFTP configuration file, vsftpd.conf , allows anonymous access by default.

The key command in the vsFTP configuration file which supports an anonymous server was described in the first part of this chapter: refer to the anonymous_enable command in /etc/vsftpd/vsftpd . What follows is a description of what you would need to do to WU-FTP server configuration files.

Configuring WU-FTP

If you ve installed the WU-FTP server, you ll need to work with several /etc/ftp* configuration files, as described in the following sections. The next major section, "Configuring WU-FTP with Real Users," describes each configuration file in more detail.

Note  

WU-FTP is no longer included with Red Hat Linux; but you can download it from the FTP site at ftp.wu- ftpd .org or the SpeakEasy RPM library at www. rpmfind .net .

Anonymous Directories

You can set up a basic anonymous FTP connection on WU-FTP. You ll need the anonftp-* RPM to install several subdirectories in /var/ftp for the files and commands that an FTP user needs to navigate in that directory and its subdirectories. These subdirectories are listed in Table 27.3.

Table 27.3: Anonymous FTP Directories

Directory

Description

/var/ftp/bin

Executable shell commands; available commands are limited.

/var/ftp/etc

Configuration files; by default includes abbreviated versions of passwd and group .

/var/ftp/lib

Program libraries.

/var/ftp/pub

Files for users; permissions can be configured for uploads.

You need to know that WU-FTP is an xinetd service; the techniques described in Chapter 23 apply. Make sure that the service is not disabled in the /etc/xinetd.d/wu-ftpd file and that it isn t blocked in /etc/ hosts .deny (as well as by any iptables firewall that might be active).

Restricting Access

It s easy to limit access to an FTP server to anonymous users. First, open the /etc/ftpaccess configuration file. By default, it should include the following entry:

 # User classes . . . class    all    real,guest,anonymous    * 

This FTP access class allows access to real, guest, and anonymous users from all addresses. Limit access to anonymous users from the 192.168.0.0/24 network by changing this line as follows:

 class    all    anonymous    192.168.0.0/24 

Anonymous FTP Security

There are several default measures that protect an anonymous FTP website created with the WU-FTP server. In this section, we examine those measures.

Limiting Access

By default, all logins are directed to the /var/ftp directory. You can change that in /etc/ftpaccess by activating the following line for desired users:

 # realuser  user1  ,  user2  

If you remove the comment mark ( # ) and change user1 and user2 to real users on your system, the FTP server sends these users to their home directories when they log in ”and they have access to higher-level directories such as root ( / ).

If you want all users to access your FTP server starting in the /var/ftp directory, comment out this line in /etc/ftpaccess .

The chroot Jail

The concept that protects other directories on an FTP server is the chroot jail . By definition, there is no higher directory than root ( / ). The chroot /abc/def command changes the effective root directory to /abc/def .

On an anonymous FTP server, the /var/ftp directory looks like the root ( / ) directory. The configuration for the anonymous FTP server applies the chroot /var/ftp command to all users who log into that server. If an anonymous user tries to run a command such as cd /var or cd /etc , it won t work, because higher-level directories are protected by the chroot jail.

Command Limits

Access to dangerous commands can also be limited. By default, /etc/ftpaccess limits access to four commands, as shown. You may wish to add other commands to the list. For example, if you make a command executable by an authorized user, you can add it to this list to prevent access by anonymous users:

 chmod      no    guest,anonymous delete     no    anonymous overwrite  no    anonymous rename     no    anonymous 
 


Mastering Red Hat Linux 9
Building Tablet PC Applications (Pro-Developer)
ISBN: 078214179X
EAN: 2147483647
Year: 2005
Pages: 220

Similar book on Amazon

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net