Setting up an secure FTP-server (Wu-Ftp)This document handles some examples for making your FTP-server a bit more secure. For instance, standard installations allow anonymous logins so everyone can stash a lot of crap on your server.
After you follow these next steps you will be able to give each one of your users their one homedirectory on the server but they cannot browse up out of it.
1. Anonymous logins
Edit the file /etc/ftpaccess and delete all anonymous entries.
This is an example of how the file ftpaccess would look like:
class all real,guest * email firstname.lastname@example.org loginfails 3 readme README* login readme README* cwd=* message /welcome.msg login message .message cwd=* compress yes all tar yes all chmod no guest delete no guest overwrite no guest rename no guest log transfers anonymous,real inbound,outbound shutdown /etc/shutmsg passwd-check rfc822 warn guestgroup FTPgroup greeting full
2. Adding Users
First of all create a special usergroup were you can put in all the users. For example FTPgroup
>> groupadd FTPgroupNow you can create some users:
>> adduser -g FTPgroup "username"(if you choose not to give shell access to these users look at paragraph 4.)
>> passwd "username"Make sure you copy "bin", "etc" and "lib" and the files in it from /home/ftp or /var/ftp to the homedirectory of the user. Use cp -R like this:
>> cp -R /var/ftp/pub /home/usernameCreate a directory called Download and Upload in the "pub"directory for the users to up- and download files from.
>> mkdir /home/username/pub/download >> mkdir /home/username/pub/uploadBe sure to set the rights and ownership onto these just created directory's.
>> chown username:FTPgroup upload download >> chmod 500 /home/username/pub/download >> chmod 700 /home/username/pub/uploadThis will give the user read/write access to upload and read access for the download directory.
3. Keep users in own Homedirectory
To keep the users in their own homedirectory you can add "guestgroup FTPgroup"
to the ftpaccess file.
Open /etc/ftpacces with your favorite texteditor and add:
4. No shell access
If you choose to deny your users to gain shell access via telnet or ssh all you have to do
is create a dummy shell wich you can name NoAccess and place it under /etc/.
>> touch /etc/NoAccessOpen the file with your editor and put something in like this:
Save the file and make sure that the shell is executable:
>> chmod +x /etc/NoAccess.Once you've done this edit the file /etc/shells and add the just created shell.
The file /etc/shells would look like this:
/bin/bash2 /bin/bash /bin/sh /bin/ash /bin/bsh /bin/tcsh /etc/NoAccess
If you added the user manually and did not use my shell-script you have
to edit /etc/passwd and change the shell for the users.
The entry would look like this:
username:x:100:100::/home/username:/bin/bashJust change /bin/bash to /etc/NoAccess.
If everything is up and you choose to add users manually you can add the user to the right shell with the next command.
>> adduser -g FTPgroup -s /etc/NoAcces "username"In order to automate the creation of users I've created a small shell-script that will add an user to FTPgroup set the shell, creates upload en download and copy's the required dir's from the FTP directory.
#!/usr/bin/perl print "Username: "; chomp ($Name =<STDIN>); system("adduser -g FTPgroup -s /etc/NoAccess $Name"); system("cp -R /var/ftp/pub /home/$Name"); system("cp -R /var/ftp/bin /home/$Name"); system("cp -R /var/ftp/lib /home/$Name"); system("cp -R /var/ftp/etc /home/$Name"); system("mkdir /home/$Name/pub/upload"); system("mkdir /home/$Name/pub/download"); system("chown $Name: $Name/pub/download"); system("chown $Name: $Name/pub/upload"); system("chmod 500 /home/$Name/pub/download"); system("chmod 700 /home/$Name/pub/upload"); system("passwd $Name"); print "Done! user $Name has been added.\n";
You cannot create a textfile under windows and copy in onto your server. This will not
Create a file called useradd and insert the lines. You can run the file from the command line like this but first set the rights as followed:
>> chmod +x useradd >> chown root:root useraddThen,
>> /usr/local/scripts/useraddor whatever filepath you wish and start adding users automatically.
That's all for now. If I have any news regarding securing FTP I will keep you posted.
Enter Own Comment