Page 131
Page 132
Using the File Transfer Protocol (FTP) is a popular way to transfer files from machine to machine across a network. Clients and servers have been written for all the popular platforms, thereby often making FTP the most convenient way of performing file transfers.
You can configure FTP servers in one of two ways. The first is as a private user-only site, which is the default configuration for the FTP server; I will cover this configuration here. A private FTP server allows users on the system only to be able to connect via FTP and access their files. You can place access controls on these users so that certain users can be explicitly denied or granted access.
The other kind of FTP server is anonymous. An anonymous FTP server allows anyone on the network to connect to it and transfer files without having an account. Due to the potential security risks involved with this setup, you should take precautions to allow access only to certain directories on the system.
| WARNING |
Configuring an anonymous FTP server always poses a security risk. Server software is inherently complex and can therefore have bugs allowing unauthorized users access to your system. The authors of the FTP server you will configure in this chapter have gone to great lengths to avoid this possibility; however, no one can ever be 100 percent sure. |
Depending on which packages you chose to install during the installation, you might already have the FTP server software installed. To determine whether you have the server software installed, check for the /usr/sbin/in.ftpd file. If it is there, you have the necessary software. If you don't, read the next section to learn how to install it.
Red Hat Linux uses the freely available wu-ftpd server. It comes as an RPM (Red Hat Package Manager) and is offered as an installation option during initial setup. If you decide that you want to run an FTP server but did not install the RPM, fetch wu-ftpd-2.4.2b12-6.i386.rpm from the CD-ROM, or check www.redhat.com for the latest edition.
To install the RPM, simply log in as root and run the following:
[root@denon /root]# rpm -i wu-ftpd-2.4.2b12-6.i386.rpm
If you plan to offer an anonymously accessible site, then be sure to install the anonftp-2.3-3.i386.rpm from the CD-ROM as well. As always, you can check for the latest version at www.redhat.com.
Page 133
To install the anonymous FTP file, log in as root and run the following:
[root@denon /root]# rpm -i anonftp-2.3-3.i386.rpm
Now you have a working anonymous FTP server!
To test whether the installation worked, simply use the FTP client and connect to your machine. For the sample FTP server, denon, you would respond to the following:
[root@denon /root]# ftp denon Connected to denon.domain.com. 220 denon.domain.com FTP server (Version wu-2.4.2-academ[BETA-12](1) ÂWed Mar 5 12:37:21 EST 1997) ready. Name (denon:root): anonymous 331 Guest login ok, send your complete e-mail address as password. Password: sshah@domain.com [This is not echoed on the screen] 230 Guest login ok, access restrictions apply. Remote system type is UNIX. Using binary mode to transfer files. ftp>
To quit the FTP client software, simply enter bye at the ftp> prompt. If you want to test the private FTP server, rerun the FTP client but use your login instead of the anonymous login. Here's an example:
[root@denon /root]# ftp denon Connected to denon.domain.com 220 denon.domain.com FTP server (Version wu-2.4.2-academ[BETA-12](1) ÂWed Mar 5 12:37:21 EST 1997) ready. Name (denon:root): sshah 331 Password required for sshah. Password: mars1031 [This is not echoed on the screen] 230 User sshah logged in. Remote system type is UNIX. Using binary mode to transfer files. ftp>
FTP service is controlled from the /etc/inetd.conf file and is automatically invoked whenever someone connects to the FTP port. (Ports are logical associations from a network connection to a specific service. For example, port 21 associates to FTP, port 23 associates to Telnet, and so on.) When a connection is detected, the FTP daemon (/usr/sbin/in.ftpd) is invoked and the session begins. In the /etc/inetd.conf file, the default Red Hat distribution contains the necessary line for this step to occur.
After the server is initiated, the client needs to provide a username and corresponding password. Two special usernames—anonymous and ftp—have been set aside for the purpose of allowing access to the public files. Any other access requires that the user have an account on the server.
Page 134
If a user accesses the server by using his or her account, an additional check is performed to ensure that the user has a valid shell. If the user doesn't have a valid shell, he or she is denied access into the system. This check is useful if you want to allow users limited access to a server (for example, POP mail) but do not want them logging in via Telnet or FTP. For a shell to be valid, it must be listed in the /etc/shells file. If you decide to install a new shell, be sure to add it to your /etc/shells listing so that people using that shell can connect to the system via FTP.
Users accessing the FTP server are placed in their home directories when they first log in. At that point, they can change into any directories on the system to which they have permission. Anonymous users, on the other hand, have several restrictions placed on them.
Anonymous users are placed in the home directory for the FTP users. By default, this directory is set to /home/ftp by the anonftp RPM package. After the users get there, the FTP server executes a chroot system call. This call effectively changes the program's root directory to the FTP users' directory. Access to any other directories in the system, which includes the /bin, /etc, and /lib directories, is denied. This change in the root directory has the side effect of the server not being able to see /etc/passwd, /etc/group, and other necessary binaries such as /bin/ls. To make up for this change, the anonftp RPM package creates a bin, etc, and lib directory under /home/ftp, where necessary libraries and programs are placed (such as ls) and where the server software can access them even after the chroot system call has been made.
For security reasons, files placed under the /home/ftp directory have their permissions set such that only the server can see them. (This is done automatically during anonftp's install.) Any other directories created under /home/ftp should be set up so that they are world readable. Most anonymous FTP sites place such files under the pub subdirectory.
Although the default configuration of the FTP server is reasonably secure, you can fine-tune access rights by editing the following files:
With all these files, you can have very fine control of who, when, and from where people can connect to your server as well as an audit trail of what they did after they did connect. The /etc/ftpaccess file is the most significant of these because it contains the most configuration options; however, misconfiguring any of the others can lead to denied service.