home   articles   archive   forum   masthead  
Published at 9.03.2002
Author: Alex Planting
Languages: de cn
Printer printer-version
Support Us!
 

Setting up an secure FTP-server (Wu-Ftp)

This document handles some examples for making your FTP-server a bit more secure. For instance, standard installations allow anonymous logins so everyone can stash a lot of crap on your server.
After you follow these next steps you will be able to give each one of your users their one homedirectory on the server but they cannot browse up out of it.

1. Anonymous logins

Edit the file /etc/ftpaccess and delete all anonymous entries.
This is an example of how the file ftpaccess would look like:

/etc/ftpaccess
  class all real,guest *
  
  email your@email.com
  loginfails 3
  
  readme README* login 
  readme README* cwd=* 
  
  message /welcome.msg login
  message .message cwd=* 
  
  compress yes all
  tar yes all
  chmod no guest
  delete no guest
  overwrite no guest
  rename no guest
  
  log transfers anonymous,real inbound,outbound
  shutdown /etc/shutmsg 
  passwd-check rfc822 warn
  guestgroup FTPgroup
  greeting full

2. Adding Users

First of all create a special usergroup were you can put in all the users. For example FTPgroup 

  >> groupadd FTPgroup
Now you can create some users: 
  >> adduser -g FTPgroup "username"
(if you choose not to give shell access to these users look at paragraph 4.) 
  >> passwd "username"
Make sure you copy "bin", "etc" and "lib" and the files in it from /home/ftp or /var/ftp to the homedirectory of the user. Use cp -R like this: 
  >> cp -R /var/ftp/pub /home/username
Create a directory called Download and Upload in the "pub"directory for the users to up- and download files from. 
  >> mkdir /home/username/pub/download
  >> mkdir /home/username/pub/upload
Be sure to set the rights and ownership onto these just created directory's. 
  >> chown username:FTPgroup upload download
  >> chmod 500 /home/username/pub/download
  >> chmod 700 /home/username/pub/upload
This will give the user read/write access to upload and read access for the download directory.

3. Keep users in own Homedirectory

To keep the users in their own homedirectory you can add "guestgroup FTPgroup" to the ftpaccess file.
Open /etc/ftpacces with your favorite texteditor and add:

   guestgroup FTPgroup

4. No shell access

If you choose to deny your users to gain shell access via telnet or ssh all you have to do is create a dummy shell wich you can name NoAccess and place it under /etc/. 

  >> touch /etc/NoAccess
Open the file with your editor and put something in like this:

/etc/NoAccess
   #!/bin/sh

   #

   echo "             Shell Access denied!             "
   echo "                                              "
   echo " You don't have a valid login for this server "
   exit 0


Save the file and make sure that the shell is executable: 

  >> chmod +x /etc/NoAccess.
Once you've done this edit the file /etc/shells and add the just created shell.
The file /etc/shells would look like this:

/etc/shells
   /bin/bash2
   /bin/bash
   /bin/sh
   /bin/ash
   /bin/bsh
   /bin/tcsh
   /etc/NoAccess


If you added the user manually and did not use my shell-script you have to edit   /etc/passwd and change the shell for the users.
The entry would look like this: 

  username:x:100:100::/home/username:/bin/bash
Just change /bin/bash to /etc/NoAccess.
If everything is up and you choose to add users manually you can add the user to the right shell with the next command. 
  >> adduser -g FTPgroup -s /etc/NoAcces "username"
In order to automate the creation of users I've created a small shell-script that will add an user to FTPgroup set the shell, creates upload en download and copy's the required dir's from the FTP directory.

ftpuseradd_script
   #!/usr/bin/perl
   print "Username: ";
   chomp ($Name =<STDIN>);
   system("adduser -g FTPgroup -s /etc/NoAccess $Name");
   system("cp -R /var/ftp/pub /home/$Name");
   system("cp -R /var/ftp/bin /home/$Name");
   system("cp -R /var/ftp/lib /home/$Name");
   system("cp -R /var/ftp/etc /home/$Name");
   system("mkdir /home/$Name/pub/upload");
   system("mkdir /home/$Name/pub/download");
   system("chown $Name:  $Name/pub/download");
   system("chown $Name:  $Name/pub/upload");
   system("chmod 500 /home/$Name/pub/download");
   system("chmod 700 /home/$Name/pub/upload");
   system("passwd $Name");
   print "Done! user $Name has been added.\n";


You cannot create a textfile under windows and copy in onto your server. This will not work properly.
Create a file called useradd and insert the lines. You can run the file from the command line like this but first set the rights as followed: 

  >> chmod +x useradd
  >> chown root:root useradd
Then, 
  >> /usr/local/scripts/useradd
or whatever filepath you wish and start adding users automatically.

That's all for now. If I have any news regarding securing FTP I will keep you posted.



Talkback Area




Enter Own Comment