4 FTP

Rev:

05/12/2003

The web server www.totalflood.com also provdes ftp servies for several EDI customers. This section describes how to setup a server to do this with reasonable security.

4.1 If Necessary

1. Create a groupd called ftpguest (currently this is group 20000).
   # groupadd -g 20000 ftpguest
2. Create a shell script called /bin/ftponly. See section 4.4 for an example script.
3. Add /bin/ftponly to /etc/shells
4. in /etc/ftpaccess (See 4.5) add ftpguest to the guestgroup. Remove guest from the delete line allowing members of guestgroup to delete files after downloading them.
5. In /etc/ftpaccess, comment out or remove:
   allow-uid ftp 
   allow-gid ftp
6. delete the user ftp. This deactivates anonymous ftp.
   # userdel ftp
7. Create a directory to be the root for the EDI users home directories
   # mdkir /var/edi

4.2 Create the Account

1. Create a customer account.
   # useradd -u <ftpuserid> -g ftpguest -d /var/edi/ftpuser ftpuser
2. Give the user a password.
3. Change the permission on the newly created directory to accomodate the software that will access it as user ftpguest.
   # chmod 775 /var/edi/ftpuser
4. Delete any files copied into the home directory by useradd. (These are probably hidden files but be sure to double check).
   # rm /var/edi/ftpuser/.*
5. Use the anonymous ftp directory as a template copy the necessary files in to newly created directory
   # cp -a /var/ftp/* /var/edi/ftpuser/.
6. Add the new user to /var/edi/<ftpuser>/etc/passwd. This insures that the dir command lists names rather than numbers
   ftpuser:*:2100:20000:::
7. Add the in and out directories
   # cd /var/edi/ftpuser 
   # mkdir -mode=775 in 
   # mkdir -mode=775 out 
   # chown fptuser:ftpguest in 
   # chown ftpuser:ftpguest out

4.3 Disable DNS lookups in ftpd

Some clients do not have a reverse DNS entry for their machines. This causes connection to be unacceptably slow. Removing the DNS lookups from ftpd makes connections faster.

1. Extract the source rpm file
   # rpm -Uvh wu-ftpd-etc.src.rpm
2. Change to the SPECS directory
   # cd <rpm-root>/SPECS
3. Edit the wu-ftpd.spec file and change the configure line to include -disable-dns
4. Build a new source and executabe RPM's
   # rpm -ba wu-ftpd.spec

4.4 Example ftponly script

#!/bin/sh
#
# ftponly shell
#
trap "/bin/echo Sorry; exit 0" 1 2 3 4 5 6 7 10 15
#
Admin=bofh@totalflood.com
System="DPSI FTP Server"
#
/bin/echo
/bin/echo "*******************************************************************"
/bin/echo "    You are NOT allowed interactive access to $System"
/bin/echo
/bin/echo "     User accounts are restricted to ftp and web access."
/bin/echo
/bin/echo "  Direct questions concerning this policy to $Admin."
/bin/echo "*******************************************************************"
/bin/echo
#
exit 0

4.5 Example ftpaccess file

# Don't allow system accounts to log in over ftp
deny-uid %-99 %65534-
deny-gid %-99 %65534-

# anyone in guestgroup gets chroot'ed
guestgroup ftpguest

class   all   real,guest,anonymous  *

email bofh@totalflood.com

loginfails 5

readme  README*    login
readme  README*    cwd=*

message /welcome.msg            login
message .message                cwd=*

compress        yes             all
tar             yes             all
chmod		no		guest,anonymous
delete		no		anonymous
overwrite	no		guest,anonymous
rename		no		guest,anonymous

# turn on logging
log transfers anonymous,real inbound,outbound

shutdown /etc/shutmsg

# not really necessary since we don't allow anonymous logins
passwd-check rfc822 warn