Configuring WU-FTP with Real Users

/etc/ftpaccess

We examined a couple of characteristics of the default /etc/ftpaccess file earlier in this chapter. Now it is time to examine this file line by line. The first lines take the functionality of /etc/ftpusers :

 deny-uid %-99 %65534- deny-gid %-99 %65534- allow-uid ftp allow-uid ftp 

These lines deny access to User and Group IDs less than 99 and greater than 65534, except user ftp. If you examine your /etc/passwd and /etc/group files, you ll see that these ID numbers are associated with administrative accounts. You can limit access to all users except ftp with a simple change:

 deny-uid * deny-gid * allow-uid ftp allow-uid ftp 

The following line sets up the chroot jail. All users are classified as guest users, and they re limited to their home directories. For example, if user mj logs in, he is sent to /home/mj :

 guestuser * 

We discussed the next line in the previous section ; user mj isn t allowed to navigate to the /home or root ( / ) directory unless the following line is activated:

 # realuser user1,user2 

Remember, the hashmark ( # ) makes Linux ignore the information that follows ; if you remove the # , user1 and user2 gain full user privileges on that FTP server. The following line can be used to limit the users on the realuser list. For example, if the previous line was realuser * , you can add the ftpchroot group to /etc/group . Members of the ftpchroot group would not be allowed to navigate above their respective home directories:

 # guestgroup ftpchroot 

As described earlier, the first line that follows allows access from real, guest, and anonymous users. The next line, if active, limits access to real users who log in from the 192.168.0.0/24 network. Anonymous access is not allowed; users need to enter their passwords. One obvious drawback is that real user passwords are sent over your LAN in clear text:

 class    all    real,guest,anonymous    * # class    all    real    192.168.0.0/24 

If you comment out the previous guestuser * line, you can substitute real for guest :

 class    all    guest   192.168.0.0/24 

If you re the administrator for your server, you ll want to substitute your e-mail address here:

 email root@localhost 

The following command limits the number of attempted logins. In this case, after five login attempts this FTP server closes the connection:

 loginfails 5 

In the Linux and Unix worlds , README* files are commonly used for instructions or to supply more information about the packages contained in a specific directory. The following lines return a Please read the file README message whenever a user logs into and changes to a directory with a README file:

 readme    README*    login readme    README*    cwd=* 

As the administrator of the FTP server, you may want to send other messages to your users. The following lines allow you to add a welcome message to the welcome.msg file in the opening directory. You can also add .message files to send additional messages to users who use the cd command to navigate to those directories:

 message    /welcome.msg    login message    .message        cwd=* 

You can see what happens when I added a README file to the /var/ftp directory as well as information to various message files in Figure 27.6.

Figure 27.6: FTP login messages

It s useful to store packages in compressed format on an FTP server. The following commands allow users who access such packages to have them uncompressed or unpackaged automatically, per the commands in /etc/ftpconversions , which is described in a later section, " /etc/ftpconversions ":

 compress    yes     all tar         yes     all 

You ll recognize the following commands from an earlier section. If you keep the guestuser * line, with slight modifications to /etc/ftpaccess (shown in bold), you can prevent all users from using these commands.

 chmod      no    guest,anonymous delete     no  guest,  anonymous overwrite  no  guest,  anonymous rename     no  guest,  anonymous 

While logins to the FTP server are normally stored in /var/log/messages , file transfers to and from the server are logged to /var/log/xferlog :

 log transfers anonymous,guest,real inbound,outbound 

If you run the ftpshut command, it creates a temporary /etc/shutmsg file. This command refuses additional logins if a shutdown of the FTP server is imminent:

 shutdown /etc/shutmsg 

Anonymous users are supposed to enter their e-mail address as the password. If they do, you can see their password in /var/log/messages . The following command sends a warning to users who connect to the FTP server without entering an e-mail address in proper format. As configured, users are still logged onto the server even with an invalid e-mail address.

 passwd-check rfc822 warn 

Limits in /etc/ftpaccess

If you re running an FTP server on the Internet, you may want to limit the number of simultaneous users connected to your server. This can help ration the speed at which your users can download their files. One simple way to create a limit in /etc/ftpacess is with the limit command. For example, the following command prevents more than 20 users from signing on to your FTP server at any one time. The warning.msg file is sent to users who try to log in when the limit is reached:

 limit    all    20    Any     warning.msg 

Perhaps you just want to limit access to users during the day (8 a.m. “5 p.m. ), when your server may be busy with other tasks :

 limit    all    20    Wk0800-1700    warning.msg 

The syntax of time in this command is based on the UUCP remote host description file. The easiest way to find this file is by searching for l.sys in your favorite search engine.

You can also limit the amount of data that a user can download from your FTP server. For example, the following command limits the amount of downloadable files to 100MB:

 byte-limit    out    100000000    all 

Alternatives to out (downloads) are in (uploads) and total (both directions).

/etc/ftpconversions

The /etc/ftpconversions file, shown in Figure 27.7, allows you to run selected commands during the upload or download process. For example, if you have a compressed file of pictures named pictures.gz on your FTP server, the third line in /etc/ftpconversions lets you download and uncompress the pictures directly with the following command at the ftp > prompt:

 ftp> get pictures 

Figure 27.7: /etc/ ftpconversions      

Note how the .gz is left out of the request. The FTP server automatically refers to /etc/ ftpconversions for the needed command.

/etc/ftphosts

The /etc/ftphosts file looks conceptually similar to the /etc/ hosts .allow and /etc/hosts.deny files associated with xinetd services (see Chapter 23 ). You can allow and deny access to the FTP server from specific users. However, the functionality isn t quite what you might expect.

For example, the following line allows FTP access only from user hdean from the computer with the given IP address. No other users and no other computers are allowed access to this FTP server. You can substitute the FQDN for the IP address.

 allow    hdean     192.168.0.32 

Alternatively, the following line denies access to user glocke only from the noted computer:

 deny    glocke     linux.example.com