Speaking of security—now is the time to make sure that files are as they should be. You don't want anyone getting free access to your system, do you? Here's how the directories in ~ftp/ should be laid out:
Execute only (mode 0111 in chmod): ~ftp/bin and ~ftp/etc
Read and execute (mode 0555 in chmod): ~ftp/pub, ~ftp/usr, and ~ftp/var (if you want it—or it can be a link to ~ftp/usr)
Write and execute (optionally read too—0333 or 0777 in chmod): /incoming
Incoming is a special directory where users are allowed to place incoming files. From here, the files are then moved by the ftp administrator to another location. Many sites have their incoming directories set up so that any file that is uploaded can immediately be downloaded by another anonymous user. But, an unscrupulous user can upload an illegal program for immediate download by anyone else. In the time it takes the ftp administrator to discover the file and erase it, hundreds of people could have downloaded it. By denying read access to the directory, users can put files there, but not see them. Instead you get a message about “permission denied”.
The execute-only directory is also special in that while anonymous users can run the programs in that directory (tar and ls usually), they can't get a directory of what is there, nor can they put anything in the directory. This is good because it prevents an anonymous user from finding out what kinds of programs are available, and also allows extra security on the ~ftp/etc/passwd and ~ftp/etc/group files.
Now your ftp site should be ready for allowing incoming users. If you had to install wu.ftpd, make your changes to /etc/inetd.conf by adding the following line:
ftp stream tcp nowait root /usr/sbin/tcpd /usr/local/bin/ftpd
This assumes that you want the tcpd(8) wrapper and that the ftpd binary is located in /usr/local/bin. An ftp line may already be in the file, so you may have to only edit it. Restart inetd with a killall -HUP inetd, and sit back and relax.
If you are interested in watching how popular your ftp site is, a few programs can help. The ftpcount tells you how many users of each class are connected to your machine, and what the maximum is. ftpwho gives you slightly better information about who is logged in, and ftpshut is used to bump connected users off at a specific time. The xferstats program in the util directory can give you detailed reports of when most people connect, what gets downloaded, and other information that may help you fine-tune your configuration.
wu.ftpd has many more abilities than I have described here, such as the ability to create “private” directories and groups to allow only certain anonymous ftp users access to directories. There are also provisions for logging access information via syslogd(8) and file transfer information to /var/adm/ftpd/xferlog. There's a man page for xferlog(5) too. Both of these methods of logging are set up by default.
If you have any questions about setting up ftp on your linux machine, or any questions, comments, or even complaints about this article, please e-mail me at email@example.com.
Mark Komarinski graduated from Clarkson University (in very cold Potsdam, NY) with a degree in Computer Science and Technical Communication. He now lives in Troy, NY, spending much of his free time working for the Department of Veterans Affairs where he is a programmer.
|PostgreSQL, the NoSQL Database||Jan 29, 2015|
|HPC Cluster Grant Accepting Applications!||Jan 28, 2015|
|Sharing Admin Privileges for Many Hosts Securely||Jan 28, 2015|
|Red Hat Enterprise Linux 7.1 beta available on IBM Power Platform||Jan 23, 2015|
|Designing with Linux||Jan 22, 2015|
|Wondershaper—QOS in a Pinch||Jan 21, 2015|
- PostgreSQL, the NoSQL Database
- Sharing Admin Privileges for Many Hosts Securely
- HPC Cluster Grant Accepting Applications!
- Internet of Things Blows Away CES, and it May Be Hunting for YOU Next
- Ideal Backups with zbackup
- Designing with Linux
- Red Hat Enterprise Linux 7.1 beta available on IBM Power Platform
- Wondershaper—QOS in a Pinch
- Slow System? iotop Is Your Friend
- January 2015 Issue of Linux Journal: Security
Editorial Advisory Panel
Thank you to our 2014 Editorial Advisors!
- Jeff Parent
- Brad Baillio
- Nick Baronian
- Steve Case
- Chadalavada Kalyana
- Caleb Cullen
- Keir Davis
- Michael Eager
- Nick Faltys
- Dennis Frey
- Philip Jacob
- Jay Kruizenga
- Steve Marquez
- Dave McAllister
- Craig Oda
- Mike Roberts
- Chris Stark
- Patrick Swartz
- David Lynch
- Alicia Gibb
- Thomas Quinlan
- Carson McDonald
- Kristen Shoemaker
- Charnell Luchich
- James Walker
- Victor Gregorio
- Hari Boukis
- Brian Conner
- David Lane