Networking / Beginners

---

Configurations File for FTP Server

The following configurations files are required for the effective functioning of your FTP server:

• ftpaccess
• ftpusers
• ftphosts
• ftpgroups
• ftpconversion

The next few sections discuss some of these files.

ftpaccess

The ftpaccess file is the main configuration file for the Wu-ftpd server. This file manages the users and other security-related issues of the FTP server. You should place this file in the /etc folder. The default location for this file is /etc/ftpaccess.

The important directives of the ftpaccess file are discussed here:

• The deny directive will disallow access to the hosts with the address, <address>. If any specified hosts try to connect, the <message> is displayed:

  deny <address> <message>.

• The following directives add users and groups as guest user/group or real user/group:

  guestgroup <groupname> [<groupname>...]
  guestuser <username> [<username >...]
  realgroup <groupname> [<groupname>...]
  realuser <username> [<username >...]
  

• The tcpwindow directive is used to control network traffic by setting up the TCP window size:

  tcpwindow <size> [<class>]

• The timeout directive is used to specify various time limits:

  timeout [accept | connect | data | idle | maxidle | RFC931 ] <seconds>

• The file-limit directive limits the number of files a user in the specified class can transfer:

  file-limit [<raw>] <in|out|total> <count> [<class>]

• The data-limit directive is used to specify the limit of the data in bytes that a user in the specified class can transfer:

  data-limit [<raw>] <in|out|total> <count> [<class>]

• The limit-time directive is used to set the time limit for a session:

  limit-time {*|anonymous|guest} <minutes>

• The limit directive is used to limit the class to a specified number of users. The error message <message> is displayed when the user is denied access:

  limit <class> <n> <times> <message_file>

• The noretrieve directive is used to deny the transfer of the specified files:

  noretrieve [absolute|relative] [class=<classname>] ... [-] <filename> <filename> ...

• The allowretrieve directive allows retrieval of the specified files:

  allowretrieve [absolute|relative] [class=<classname>] ... [-] <filename> <filename> ...

• The login directive is used to specify the number of failed logon attempts that is allowed. The default value is 5:

  login <fails>

• The log commands directive allows logging of individual commands by users. The <typelist> can be anonymous, guest, and real:

  log commands <typelist>

• The log transfers directive enables you to log file transfers for anonymous and real FTP users. <directions> can have TO value for the incoming transfer or FROM value for the outgoing transfers:

  log transfers <typelist< <directions>

• The log security directive allows you to log security rules violation by real, anonymous, and guest users:

  log security <typelist>

• The following directives enable or disable the ability to perform the specified task. The default value for each of these values is yes:

  chmod <yes|no> <typelist>
  delete <yes|no> <typelist>
  overwrite <yes|no> <typelist>
  rename <yes|no> <typelist>
  umask <yes|no> <typelist>

• The passwd-check directive is used for enforcing the kind of password checking done for anonymous FTP users:

  passwd-check <none|trivial|rfc822> (<enforce|warn>)

• The upload directive is used to specify whether the directory, <dirglob>, will allow uploads:

  upload [absolute|relative] [class=<classname>]... [-] <root-dir> <dirglob> <yes|no>
  <owner> <group> <mode> [dirs|nodirs] [<d_mode>]

• The throughput directive is used to restrict the download file transfer rate for files in a specified directory:

  throughput <root-dir> <subdir-glob> <file-glob-list> <bytes-per-second>
   <bytes-persecond-
  multiply> <remote-glob-list>

• The following directives allow specification of UID and GID values that will be denied access to the FTP server:

  deny-uid <uid-range> [...]
  deny-gid <gid-range> [...]
  allow-uid <uid-range> [...]
  allow-gid <gid-range> [...]

• The following directives are used to specify whether real and guest users have access outside their home directories on the FTP server:

  restricted-uid <uid-range> [...]
  restricted-gid <gid-range> [...]
  unrestricted-uid <uid-range> [...]
  unrestricted-gid <gid-range> [...]

• The site-exec-max-lines directive is used to limit the number of lines that can be sent to a remote client:

  site-exec-max-lines <number> [<class> ...]

The ftpaccess file specifies which users can access the FTP server. In ftpaccess, you can define the activities that can be performed by a user. The content of a sample ftpaccess file is shown here:

class 	all 	real,guest,anonymous *
email root@localhost
loginfails 5
readme 	README* l ogin
readme 	README* cwd=*
message /welcome.msg l 		ogin
message .message 		cwd=*
compress 	yes 		all
tar 		yes 		all
chmod 		no 		guest,anonymous
delete 		no 		guest,anonymous
overwrite 	no 		guest,anonymous
rename 		no 		guest,anonymous
log transfers anonymous, real inbound, outbound
shutdown /etc/shutmsg
passwd-check rfc822 warn

In the preceding extract, you first set the class to allow local and remote access from all addresses. This can be customized depending upon your requirements. You can specify all of your guest groups, one per line. You should log all transfers for security purposes as shown here:

log commands real,anonymous,guest
log transfers guest,anonymous,real inbound,outbound

The chmod, delete, overwrite, and rename directives are set to yes by default. The entries to deny the permissions for anonymous users are as follows:

chmod no guest,anonymous
delete no guest,anonymous
overwrite no guest,anonymous
rename no guest,anonymous