Many FTP programs exist. This example covers the once popular wu-ftpd (Washington University) program which once came standard with RedHat (last shipped with RedHat 8.0 but can be installed on any Linux system. RPM: wu-ftpd) There are other FTP programs including proFtpd (supports LDAP authentication, Apache like directives, full featured ftp server software), vsftpd, bftpd, pure-ftpd (free BSD and optional on Suse), etc ...
For hostile environments set up a chrooted environment for an sftp encrypted connection and the rssh restricted shell for OpenSSH. See the YoLinux.com internet security tutorial for Linux sftp and rssh configuration
Also see the preferred chrooted sftp configuration for OpenSSH 4.9+
FTPd and SELinux: To allow FTPd daemon access and FTP access to users home directories:
- setsebool -P allow_ftpd_full_access=1
Other wise you will get an error in /var/log/messages:
SELinux is preventing the ftp daemon from writing files outside the home directory (./public_html).
- setsebool -P ftp_home_dir 1
Follow with the command service ftpd restart
The wu-ftpd FTP server can be downloaded (binary or source) from http://wu-ftpd.therockgarden.ca/ (at one time: http://wu-ftpd.org).
There are three kinds of FTP logins that wu-ftpd provides:
- anonymous FTP - one logs in with the username 'anonymous'
- real FTP - log in with a real username and password and has access to the entire disk structure.
- guest FTP - one logs in with a real user name and password, but the user is chroot'ed to his home directory and cannot escape from it. They are constrained to their home directory which also means that they don't have access to /bin/ls and other commands on the server. Thus a local minimalist environment must be set up.
The file /etc/ftpaccess controls the configuration of ftp.
# Don't allow system accounts to log in over ftp
deny-uid %-99 %65534-
deny-gid %-99 %65534-
class all real,guest *
email webmaster@your-domain.com
loginfails 5
readme README* login
readme README* cwd=*
message /welcome.msg login
message .message cwd=*
compress yes all
tar yes all
chmod no guest,anonymous
delete no anonymous # delete files permission?
overwrite no anonymous # overwrite files permission?
rename no anonymous # rename files permission?
delete yes guest # delete files permission?
overwrite yes guest # overwrite files permission?
rename yes guest # rename files permission?
umask no guest # umask permission?
log transfers anonymous,real inbound,outbound
shutdown /etc/shutmsg
passwd-check rfc822 warn
# Must also create message file /etc/pathmsg of the guest directory.
# In this case it refers to /home/user1/public_html/etc/pathmsg.
path-filter guest /etc/pathmsg ^[-A-Za-z0-9_\.]*$ ^\. ^-
limit all 2
noretrieve passwd .htaccess core - Do not allow users to download files of these names
limit-time * 20
byte-limit in 5000 - Limit file size
guestuser * - System user default categorized as a "guest". A "real" user can roam the system. Guestuser is chrooted.
realgroup regularuserx regularusery - Assign real user privileges to members of groups "regularuserx" and "regularusery".
Visibility of the whole file system and subject to regular UNIX file permissions
realuser user4 - Assign real user privileges to user id "user4".
restricted-uid user1 user2 user3 - Restricts FTP to the specified directories
guest-root /home/user1/public_html user1
guest-root /home/user2/public_html user2
guest-root /home/user3/public_html user3
Note:
- user1, user2 and user3 refer to login accounts. Use the appropriate login name.
- The above configuration disables anonymous FTP which allows anyone to
perform an FTP login with the id anonymous and an email address as a
password. To enable anonymous FTP, change the class directive to:
class all real,guest,anonymous * - GUI FTP configuration tools:
- /usr/bin/kwuftpd
- /sbin/linuxconf
(Note: Linuxconf is no longer included with Red Hat 7.3 and later)
- Red Hat Linux assigns users a user id and group id which is the same. This means that it does not matter if you use a realuser or realgroup directive as they will act the same.
- Red Hat Linux 7.1 and later uses the xinet daemon to manage ftp connections. Thus xinetd must be running and configured to support ftp. The configuration file is /etc/xinetd.d/wu-ftpd. The command chkconfig wu-ftpd on will make the ftp server available. See xinet configuration for more info.
- Allow override of deny-uid and/or deny-gid:
allow-uid user-to-allow allow-gid group-to-allow - Optional configuration:
- Create a group ftpchroot
- Add users to this group
- Use directive: guestgroup ftpchroot
[Potential Pitfall]: Flaky ftp behavior, timeouts, etc?? FTP works best with name resolution of the computer it is communicating with. This requires proper /etc/resolv.conf and name server (bind) configuration, /etc/hosts or NIS/NFS configuration.
File /home/user1/public_html/etc/pathmsg:
A NOTE TO USERS UPLOADING FILES:
File names may consist of letters (a-z, A-Z), numbers (0-9),
an under score ("_"), dash ("-") or period (".") only.
The file name may not begin with a period or dash.
You have tried to upload a file with an inappropriate name.
The whole point of the chroot directory is to make the user's home directory appear to be the root of the filesystem (/) so one could not wander around the filesystem. Configuration of /etc/ftpaccess will limit the user to their respective directories while still offering access to /bin/ls and other system commands used in FTP operation.
As root:
cd /home/user1 mkdir public_html chown $1.$1 public_html touch .rhosts - Security protection chmod ugo-xrw .rhosts
Man Pages:
Server:- ftpd - Internet File Transfer Protocol server
- /etc/ftpaccess - Configuration file for ftpd
- /etc/ftpservers - ftpd virtual hosting configuration file. (optional)
- /etc/ftphosts - allow or deny access to certain accounts from various hosts. (optional)
- /etc/ftpconversions - ftpd conversions database (for tar and compression)
- /var/log/xferlog - FTP server logfile
- ftp - File Transfer Client program
Configuration files: (RH 8.0+)
- PAM configuration file: /etc/pam.d/ftp
#%PAM-1.0 auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed auth required pam_stack.so service=system-auth auth required pam_shells.so account required pam_stack.so service=system-auth session required pam_stack.so service=system-auth
- Xinetd configuration file: /etc/xinetd.d/wu-ftpd
service ftp { disable = no socket_type = stream wait = no user = root server = /usr/sbin/in.ftpd server_args = -l -a log_on_success += DURATION USERID log_on_failure += USERID nice = 10 }Note: wu-FTPd is controlled by xinetd and not a stand alone service like vsFTPd. - Logrotate configuration file: /etc/logrotate.d/ftpd
/var/log/xferlog {
nocompress
}
More information:
- WU-FTPD release
- dkftpbench - FTP bench-mark program to give you an idea as to how many simultaneous dial-up clients a server can support.
- FTP and text file type conversions: End Of Line Characters - by Peter Benjamin
Man pages on related FTP commands and files:
- chroot - Run with a special root directory
- ftpcount - Show number of concurrent users.
- ftpshut - close down the ftp servers at a given time
- ftprestart - Restart previously shutdown ftp servers
- ftpwho - show current process information for each ftp user
- privatepw - Change WU-FTPD Group Access File Information (admin command)
If you get the following ftp client user error:
ftp> ls
227 Entering Passive Mode (208,188,34,109,208,89)
ftp: connect: No route to host
This means you have firewall issues most probably on the FTP server itself. Start by removing the firewall "iptables" rules: iptables -F Add rules until you discover what is causing the problem.
Passive mode:
Passive mode can also help one past the rules:ftp> passiveThis toggles passive mode on and off. When on, FTP will be limited to ports specified in the vsftpd configuration file: vsftpd.conf with the parameters pasv_min_port and pasv_max_port
Passive mode on.
Firewall connection tracking module:
# cat /etc/sysconfig/iptables-config | grep ip_nat_ftp
IPTABLES_MODULES="ip_conntrack_ftp"
NAT firewall modules:
You can also try adding ip_nat_ftp to the list of auto-loaded modules: (This will also load the dependency: ip_conntrack_ftp.)# cat /etc/sysconfig/iptables-config | grep ip_nat_ftpThen restart the firewall: /etc/init.d/iptables condrestart
IPTABLES_MODULES="ip_nat_ftp"
FTP will change ports during use. The ip_conntrack_ftp module will consider each connection "RELATED". If iptables allows RELATED and ESTABLISHED connections then FTP will work. i.e. rule: /etc/sysconfig/iptables
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
FTP fails because it can not change to the users home directory:
Error:[user1@nodex ~]$ ftp node.domain.com Connected to XXX.XXX.XXX.XXX. 530 Please login with USER and PASS. 530 Please login with USER and PASS. KERBEROS_V4 rejected as an authentication type Name (XXX.XXX.XXX.XXX:user1): 331 Please specify the password. Password: 500 OOPS: cannot change directory:/home/user1 Login failed. ftp> bye
This is often a result of SELinux preventing the vsftpd process from accessing the user's home directory.
As root, grant access with the following command:
setsebool -P ftp_home_dir 1
Followed by: service vsftpd restart
Test your vsftpd SELinux settings: getsebool -a | grep ftp
allow_ftpd_anon_write --> off allow_ftpd_full_access --> off allow_ftpd_use_cifs --> off allow_ftpd_use_nfs --> off allow_tftp_anon_write --> off ftp_home_dir --> on ftpd_disable_trans --> off ftpd_is_daemon --> on httpd_enable_ftp_server --> off tftpd_disable_trans --> off
- FileZilla: FTP/sFTP client GUI
- gftp: GUI GTK+ Multi-threaded client. File transfer directory browsing and compare. Multiple protocols: FTP, FTPS (control connection only), HTTP, HTTPS, SSH and FSP protocols. Proxy support. Comes with Red Hat / Fedora Core.
- KFTPgrabber: GUI KDE based client.simultaneous FTP sessions in separate tabs. Ability to limit upload and download speed.
- kbear: GUI KDE based client. Connect to multiple servers, transfer files, directory browsing, file content browsing. Comes with S.U.S.e. Linux.
- ftp: (/usr/kerberos/bin/ftp) kerberos enabled console ftp client. (RPM package FC3: krb5-workstation)
When hosting web sites, there is no need to grant a shell account which only allows the server to have more potential security holes. Current systems can specify the user to have only FTP access with no shell by granting them the "shell" /sbin/nologin provided with the system or the "ftponly" shell described below. The shell can be specified in the file /etc/passwd of when creating a user with the command adduser -s /sbin/nologin user-id
Note that WU-FTP is unencrypted, by definition unsecure and is reliant on a secure network to provide security.
[Potential Pitfall]: Red Hat 7.3 server with wu-ftp server 2.6.2-5 does not support this configuration to prevent shell access. It requires users to have a real user shell. i.e. /bin/bash It works great in older and current Red Hat versions. If it works for you, use it, as it is more secure to deny the user shell access. You can always deny telnet access. You should NOT be using this problem ridden version of ftpd. Use the latest wu-ftpd-2.6.2-11 which supports users with shell /opt/bin/ftponly
- Disable remote telnet login access allowing FTP access only:
Change the shell for the user in /etc/passwd from /bin/bash to be /opt/bin/ftponly.
... user1:x:502:503::/home/user1:/opt/bin/ftponly ...Create file: /opt/bin/ftponly.
Protection set to -rwxr-xr-x 1 root root
with the command: chmod ugo+x /opt/bin/ftponly
Contents of file:#!/bin/sh # # ftponly shell # trap "/bin/echo Sorry; exit 0" 1 2 3 4 5 6 7 10 15 # Admin=root@your-domain.com #System=`/bin/hostname`@`/bin/domainname` # /bin/echo /bin/echo "********************************************************************" /bin/echo " You are NOT allowed interactive access." /bin/echo /bin/echo " User accounts are restricted to ftp and web access." /bin/echo /bin/echo " Direct questions concerning this policy to $Admin." /bin/echo "********************************************************************" /bin/echo # # C'ya # exit 0The last step is to add this to the list of valid shells on the system.
Add the line /opt/bin/ftponly to /etc/shells.Sample file contents: /etc/shells
/bin/bash /bin/bash1 /bin/tcsh /bin/csh /opt/bin/ftponlySee man page on /etc/shells.An alternative would be to assign the shell /bin/false or /sbin/nologin which became available in later releases of Red Hat, Debian and Ubuntu. In this case the shell /bin/false or /sbin/nologin would have to be added to /etc/shells to allow them to be used as a valid shell for FTP while disabling ssh or telnet access.
- Set file quotas to limit user account.
For more on Linux security see the: YoLinux.com Internet web site Linux server security tutorial
Books:
 |
"Ubuntu Unleashed 2017 edition:"
Covering 16.10 and 17.04, 17.10 (12th Edition) by Matthew Helmke, Andrew Hudson and Paul Hudson Sams Publishing, ISBN# 0134511182
|
|
 |
"Ubuntu Unleashed 2013 edition:"
Covering 12.10 and 13.04 (8th Edition) by Matthew Helmke, Andrew Hudson and Paul Hudson Sams Publishing, ISBN# 0672336243 (Dec 15, 2012)
|
|
 |
"Ubuntu Unleashed 2012 edition:"
Covering 11.10 and 12.04 (7th Edition) by Matthew Helmke, Andrew Hudson and Paul Hudson Sams Publishing, ISBN# 0672335786 (Jan 16, 2012)
|
|
 |
"Red Hat Enterprise Linux 7: Desktops and Administration"
by Richard Petersen Surfing Turtle Press, ISBN# 1936280620 (Jan 13, 2017)
|
|
 |
"Fedora 18 Desktop Handbook"
by Richard Petersen Surfing Turtle Press, ISBN# 1936280639 (Mar 6, 2013)
|
|
 |
"Fedora 18 Networking and Servers"
by Richard Petersen Surfing Turtle Press, ISBN# 1936280698 (March 29, 2013)
|
|
 |
"Fedora 14 Desktop Handbook"
by Richard Petersen Surfing Turtle Press, ISBN# 1936280167 (Nov 30, 2010)
|
|
 |
"Fedora 14 Administration and Security"
by Richard Petersen Surfing Turtle Press, ISBN# 1936280221 (Jan 6, 2011)
|
|
 |
"Fedora 14 Networking and Servers"
by Richard Petersen Surfing Turtle Press, ISBN# 1936280191 (Dec 26, 2010)
|
|
 |
"Practical Guide to Ubuntu Linux (Versions 8.10 and 8.04)"
by Mark Sobell Prentice Hall PTR, ISBN# 0137003889 2 edition (January 9, 2009)
|
|
 |
"Fedora 10 and Red Hat Enterprise Linux Bible"
by Christopher Negus Wiley, ISBN# 0470413395
|
|
 |
"Red Hat Fedora 6 and Enterprise Linux Bible"
by Christopher Negus Sams, ISBN# 047008278X
|
|
 |
"Fedora 7 & Red Hat Enterprise Linux: The Complete Reference"
by Richard Petersen Sams, ISBN# 0071486429
|
|
 |
"Red Hat Fedora Core 6 Unleashed"
by Paul Hudson, Andrew Hudson Sams, ISBN# 0672329298
|
|
 |
"Red Hat Linux Fedora 3 Unleashed"
by Bill Ball, Hoyt Duff Sams, ISBN# 0672327082
|
|
 |
"Red Hat Linux 9 Unleashed"
by Bill Ball, Hoyt Duff Sams, ISBN# 0672325888 May 8, 2003 I have the Red Hat 6 version and I have found it to be very helpful. I have found it to be way more complete than the other Linux books. It is the most complete general Linux book in publication. While other books in the "Unleashed" series have dissapointed me, this book is the best out there. |
|
 |
"Apache Server Bible 2"
by Mohammed J. Kabir ISBN # 0764548212, Hungry Minds This book is very complete covering all aspects in detail. It is not your basic reprint of the apache.org documents like so many others. |
|
 |
"Pro DNS and Bind"
by Ronald Aitchison Apress, ISBN# 1590594940 |
|
