It is not difficult to create an anonymous FTP server. However, there are details involved in securing that server. When the server is properly configured, users won t be able to get above the base FTP directory, /var/ftp , and certainly not to the root ( / ) directory. The default Red Hat FTP configuration is based on the vsFTP server.
This section shows you how to create a basic anonymous-only FTP server. It can work with vsFTP or the WU-FTP servers. You can customize the configuration further using many of the settings described later in this chapter.
Once the appropriate packages are installed, you ll need to activate the service. Assuming you re using vsFTP, you d run the service vsftpd start command. Remember to use the appropriate chkconfig command (see Chapter 13 ) to make sure vsFTP is active the next time you start Linux.
As discussed earlier, the vsFTP configuration file, vsftpd.conf , allows anonymous access by default.
The key command in the vsFTP configuration file which supports an anonymous server was described in the first part of this chapter: refer to the anonymous_enable command in /etc/vsftpd/vsftpd . What follows is a description of what you would need to do to WU-FTP server configuration files.
If you ve installed the WU-FTP server, you ll need to work with several /etc/ftp* configuration files, as described in the following sections. The next major section, "Configuring WU-FTP with Real Users," describes each configuration file in more detail.
WU-FTP is no longer included with Red Hat Linux; but you can download it from the FTP site at ftp.wu- ftpd .org or the SpeakEasy RPM library at www. rpmfind .net .
You can set up a basic anonymous FTP connection on WU-FTP. You ll need the anonftp-* RPM to install several subdirectories in /var/ftp for the files and commands that an FTP user needs to navigate in that directory and its subdirectories. These subdirectories are listed in Table 27.3.
Executable shell commands; available commands are limited.
Configuration files; by default includes abbreviated versions of passwd and group .
Files for users; permissions can be configured for uploads.
You need to know that WU-FTP is an xinetd service; the techniques described in Chapter 23 apply. Make sure that the service is not disabled in the /etc/xinetd.d/wu-ftpd file and that it isn t blocked in /etc/ hosts .deny (as well as by any iptables firewall that might be active).
It s easy to limit access to an FTP server to anonymous users. First, open the /etc/ftpaccess configuration file. By default, it should include the following entry:
# User classes . . . class all real,guest,anonymous *
This FTP access class allows access to real, guest, and anonymous users from all addresses. Limit access to anonymous users from the 192.168.0.0/24 network by changing this line as follows:
class all anonymous 192.168.0.0/24
There are several default measures that protect an anonymous FTP website created with the WU-FTP server. In this section, we examine those measures.
By default, all logins are directed to the /var/ftp directory. You can change that in /etc/ftpaccess by activating the following line for desired users:
# realuser user1 , user2
If you remove the comment mark ( # ) and change user1 and user2 to real users on your system, the FTP server sends these users to their home directories when they log in ”and they have access to higher-level directories such as root ( / ).
If you want all users to access your FTP server starting in the /var/ftp directory, comment out this line in /etc/ftpaccess .
The concept that protects other directories on an FTP server is the chroot jail . By definition, there is no higher directory than root ( / ). The chroot /abc/def command changes the effective root directory to /abc/def .
On an anonymous FTP server, the /var/ftp directory looks like the root ( / ) directory. The configuration for the anonymous FTP server applies the chroot /var/ftp command to all users who log into that server. If an anonymous user tries to run a command such as cd /var or cd /etc , it won t work, because higher-level directories are protected by the chroot jail.
Access to dangerous commands can also be limited. By default, /etc/ftpaccess limits access to four commands, as shown. You may wish to add other commands to the list. For example, if you make a command executable by an authorized user, you can add it to this list to prevent access by anonymous users:
chmod no guest,anonymous delete no anonymous overwrite no anonymous rename no anonymous