► ftpaccess — Contains the majority of server configuration settings
► ftpconversions — Contains definitions of file conversions during transfers
► ftphosts — Holds settings to control user access from specific hosts
These files may be created in the /etc directory during RPM installation, or may be created by a system administrator. The following sections describe each of these files and how to use the commands they contain to configure the wu-ftp server so that it is accessible to all incoming requests.
When configuring an anonymous FTP server, it is extremely important to ensure that all security precautions are taken to prevent malicious users from gaining privileged-level access to the server. Although this chapter shows you how to configure your FTP server for secure use, all machines connected to the Internet are potential targets for malicious attacks. Vulnerable systems can be a source of potential liability, especially if anyone accesses and uses them to store illegal copies of proprietary software — even temporarily. There is little value in configuring a secure FTP server if the rest of the system is still vulnerable to attack. Use Red Hat's lokkit or system-config-securitylevel client to implement a firewall on your system.
Using Commands in the ftpaccess File to Configure wu-ftpd
The ftpaccess file contains most of the server configuration details. Each line contains a definition or parameter that is passed to the server to specify how the server is to operate. The directives can be broken down into the following categories, including:
► Access Control — Settings that determine who can access the FTP server and how it is accessed
► Information — Settings that determine what information is provided by the server or displayed to a user
► Logging — Settings that determine whether logging is enabled and what information is logged
► Permission Control — Settings that control the behavior of users when accessing the server; in other words, what actions users are allowed to perform, such as create a directory, upload a file, delete a file or directory, and so on
Many more options can be specified for the wu-ftpd FTP server in its ftpaccess file. The most common commands have been covered here. A full list of configuration options can be found in the ftpaccess man page after you install the server.
You can edit the ftpaccess file at the command line to make configuration changes in any of these categories. The following sections describe some configuration changes and how to edit these files to accomplish them.
Configure Access Control
Controlling which users can access the FTP server and how they can do so are critical parts of system security. Use the following entries in the ftpaccess file to specify to which group the user accessing the server is assigned.
This command imposes increased security on the anonymous user:
autogroup <groupname> <class> [<class>]
If the anonymous user is a member of a group, he is allowed access to only files and directories owned by him or his group. The group must be a valid group from /etc/groups or /var/ftp/etc/groups.
This command defines a class of users by the address to which the user is connected:
class <class> <typelist> <addrglob> [<addrglob>]
There might be multiple members for a class of users, and multiple classes might apply to individual members. When multiple classes apply to one user, the first class that applies is used.
The typelist field is a comma-separated list of the keywords anonymous, guest, and real. anonymous applies to the anonymous user, and guest applies to the guest access account, as specified in the guestgroup directive. real defines those users who have a valid entry in the /etc/passwd file.
The addrglob field is a regular expression that specifies addresses to which the class is to be applied. The (*) entry specifies all hosts.
Sometimes it is necessary to block entire hosts from accessing the server. This can be useful to protect the system from individual hosts or entire blocks of IP addresses, or to force the use of other servers. Use this command to do so:
deny <addrglob> <message_file>
deny always denies access to hosts that match a given address.
addrglob is a regular expression field that contains a list of addresses, either numeric or DNS names. This field can also be a file reference that contains a listing of addresses. If an address is a file reference, it must be an absolute file reference; that is, starting with a /. To ensure that IP addresses can be mapped to a valid domain name, use the !nameserver parameter.
A sample deny line resembles the following:
deny *.exodous.net /home/ftp/.message_exodous_deny
This entry denies access to the FTP server from all users who are coming from the exodous.net domain, and displays the message contained in the .message_exoduous_deny file in the /home/ftp directory.
ftpusers File Purpose Now Implemented in ftpaccessCertain accounts for the system to segment and separate tasks with specific permissions are created during Linux installation. The ftpusers file (located in /etc/ftpusers) is where accounts for system purposes are listed. It is possible that the version of wu-ftp you use with Fedora deprecates the use of this file, and instead implements the specific functionality of this file in the ftpaccess file with the commands of deny-uid/deny-gid.
The guestgroup line assigns a given group name or group names to behave exactly like the anonymous user. Here is the command:
guestgroup <groupname> [<groupname>]
This command confines the users to a specific directory structure in the same way anonymous users are confined to /var/ftp. This command also limits these users to access files for which their assigned group has permissions.
The groupname parameter can be the name of a group or that group's corresponding group ID (GID). If you use a GID as the groupname parameter, put a percentage symbol (%) in front of it. You can use this command to assign permissions to a range of group IDs, as in this example:
guestgroup %500-550
This entry restricts all users with the group IDs 500-550 to being treated as a guest group, rather than individual users. For guestgroup to work, you must set up the users' home directories with the correct permissions, exactly like the anonymous FTP user.