The File Transfer Protocol is a light-weight protocol for transferring files over a network. It is a client-server protocol requiring an FTP server, such as WU-FTPD and a client such as ncftp. WU-FTPD is the most popular FTP server on the Internet, and though it has had its problems (primarily security-related) it is a very feature-rich FTP daemon. WU-FTPD has been in constant development for over ten years, and has attracted a lot of users and developers during that time. This chapter covers all of the configuration files involved in running a WU-FTPD installation (Figure 9.1, “WU-FTPD Server”). It is highly recommended that you make sure your FTP server is running the latest version (2.6.2 is the version as of this writing) as all earlier versions have widely known security exploits.
Here you configure the various user and group features of the ftpaccess file (Figure 9.2, “Users and Classes”). For more on this file and its structure, see the ftpaccess man page.
- User classes
Here you define a class of users, and the networks from which they are allowed to log in. Note that the default includes a class all for users of all types (real, guest, and anonymous) which matches all networks with the *. This option configures the class directive.
- Unix users and UIDs to treat as guests and Unix groups and GIDs to treat as guests
Here, you can define users and groups who would ordinarily qualify as real users who will be treated as guests, or anonymous users. In other words, a chroot will be done, and the user will not be permitted to use the USER or PASS commands. The users home directory must be properly set up, as an anonymous FTP directory would be. These two options correspond to the guestuser and guestgroup directives.
- Unix users and UIDs not to treat as guests and Unix groups and GIDs not to treat as guests
If your server is configured to treat all users as guests, then you can selectively allow a few users to be treated as real users (i.e., with access to the system directories, and without performing a chroot). These options configure the realuser and realgroup directives.
- Unix users to deny (from /etc/ftpusers)
This is simply a list of users to deny access to the server to. This information is drawn from the /etc/ftpusers file. Adding to this list will add to the file. Note that if the next two sets of options are used to precisely control access to the FTP server (i.e., by blocking all access except for explicitly permitted users), then the ftpusers file becomes unnecessary.
- Unix users and UIDs to deny and Unix groups and GIDs to deny
Here you can enter any users or groups you would like to deny access to. These options configure the deny-uid and deny-gid directives.
- Unix users and UIDs not to deny and Unix groups and GIDs not to deny
These options can be used to negate the above options, if you chose to disallow all access from all users and groups. In this way, you could allow only explicitly configured users to access the server.
WU-FTPD provides a simple mechanism for informing users of important information regarding the server, or files on the server. As in the previous section, this page configures certain aspects of the ftpaccess (Figure 9.3, “Messages and Banners”).
- Message files
This option configures the messages that will be displayed on login to the server. The default on many systems is to display a message contained in the file welcome.msg in the root FTP directory, if it exists, as soon as someone logs in. Also, when entering a directory the server will check for the existence of a file called .message in the new directory. If it exists, it will be displayed. Both of these are optional, and the names and actions can be changed at will. This option configures the message directive.
- README files
Here, you can configure the behavior of the server with regard to README files. This, too, is set up by default on most systems. In this case, any file beginning README will be displayed to the user, both on logging into the server, and upon entering a new directory. This option configures the readme directive.
- Greeting level
Here you can select how much information about your server will be presented to the user. This can include the host name, the server version, and nothing. This can be a mild security risk, as the first step to cracking a box is to figure out what software and version is running. However, if the system is kept up to date (religiously), and the system is otherwise secured, this should not be an issue. Many paranoid types (and there's no harm in being paranoid in a world where script kiddies are a dime a dozen) will disable all specific software and version information on all of their publicly accessible services. This option configures the greeting directive.
- Pre-login banner
Here you configure a banner that will be displayed before the user is prompted for a user name and password. This option can cause problems with non-compliant FTP client software. This option configures the banner directive.
- Hostname for messages
This will be the host name that is printed in the greeting message, and anytime the host name is inserted into a message for the user. This option configures the hostname directive.
- Owner's email address
Here you can set the email address of the servers maintainer. This will be presented as the contact email for this server. This option configures the email directive.
This page provides access to various resource limits, as well as provides system level access controls. If you wish to limit the system or network resources your server uses, this is the page to start with.
- Deny access from
Here you may deny access to the server from any number of IP addresses, and you can provide a filename of a text error message file to send the client in the event they have been denied access based on this rule. This option configures the deny directive.
- Concurrent user limits
Here you may limit the number of concurrent users from a given user class. To configure this option, you must provide a class for which the rule will apply, and the maximum number of users to allow to log in simultaneously. Next, you can choose times in UUCP L.sys format. This format is pretty simple, you choose the days by entering the first two letters with the first capitalized (i.e., Su for Sunday, or Mo for Monday), or Any for all days. Then the time is set in military format (1000 for 10AM, 2300 for 11PM, etc.). So to limit users during business hours, for example, we could enter MoTuWeThFr0800-1800. This option configures the limit directive.
- File and data transfer limits
This option provides access to the transfer limits features of WU-FTPD. It is possible to limit user's downloads based on files or data or both. You may also configure limits for outgoing and incoming transfers, and to which classes the limits should apply. This option configures the file-limit and data-limit directives.
- Deny access to files and Allow access to files even if denied
If there are files in your directory tree that you do not wish to be retrievable by one or more classes of users, you may enter it here. The path may be relative to the FTP chroot, or it may be an absolute path (select which using the Relative to chroot option). This option correlates to the noretrieve directive. The Allow access to files even if denied option allows you to unselect files that would ordinarily be made inaccessible by the previous option. This option correlates to the allow-retrieve directive.
- Anonymous session limit Guest session limit
Anonymous users and guest users can be limited to the specified time. This option correlates to the limit-time directive.
- Maximum login failures
This option allows you to define the number of failed login attempts to allow before a "too many login failures" message is presented to the user and the FTP connection is closed. This option configures the loginfails directive and defaults to 5.
- Can switch groups?
If this option is turned on, a user may switch to a new group after login. The user will then have the privileges of the new group. This configures the private directive and defaults to off.
Here you configure a few of the networking-related options for WU-FTPD.
- TCP window sizes
This option configures the window size of TCP packets for the data connection. This may be useful if clients are PPP dial-up users, as a smaller TCP window can provide faster transfers. Usually this does not need to be modified. This option correlates to the tcpwindow directive.
- Addresses for PASV connections
Allows control of the address reported in response to a PASV command. This does not alter the address that the daemon listens on, only the address it reports to clients on a passive connection. This option configures the passive address directive.
- Ports for PASV connections
Configures the port numbers which may be used for passive data connections. You may select port ranges for specific networks. When a control connection matches the network specified, a randomly selected port from the range provided will be used for the daemon to listen on. This feature allows firewalls that limit open ports to be used, while still provided FTP services. This option corresponds to the passive ports directive.
Here you configure the logging behavior of WU-FTPD (Figure 9.4, “Logging”). Logging for this daemon is quite simple, and doesn't present nearly the options of servers like Apache or BIND. Nonetheless, it is possible to gather a large amount of useful information from your FTP daemon.
- Log all commands for
Selecting one or more types of users here will provide a log of every single command executed by a user of the given type. This option configures the log commands directive.
- Log transfers for
As above, you may select one of more types of users to log for. This option when enabled will log every file transfer made by any users of a given type. This option configures the log transfers directive.
- Log transfers to
This option sets where transfer logs will be stored. If System log, transfers will be logged via the syslog daemon to the standard system log (configured by your syslog configuration). If XFER log, transfers will be logged to a separate transfer log file. This option configures the log syslog directive.
- Log security violations for
It is possible to configure your server to log attempts by users of a given type to perform actions which are denied by the server. This option configures the log security directive.
This page allows you to configure aliases that the FTP daemon will use when a client issues a cd command. If an alias is defined, in the CD directory aliases section, the Alias name is the directory name that the client can enter, while the Alias to directory field defines to what directory the client will switch to. So, for example, if the Alias name is bin and the Alias to directory is /home/ftp/pub/usr/local/bin, then when the client enters cd bin he will be directed to /home/ftp/pub/usr/local/bin.
Next comes the CD directory search path. With this option, you can configure any number of directories that can be in the search path. For example, if a client enters cd bin, and there is no bin directory in the current directory, then the server will check the directories in the search path. If the directory requested exists in one of those directories, the client will be directed there.
WU-FTPD provides a number of capabilities for serving anonymous (i.e., non-authenticated) users. And anonymous user generally has very limited capabilities on the server, and is often unable to upload files, or modify any content on the server. This page provides access to many of the features related to anonymous users on your FTP server.
- Anonymous FTP root directories
This option allows you to configure the root directory for anonymous users of a given class. So setting this to /home/ftp for the all class, will cause the server to chroot to the directory specified for any anonymous user. The initial directory (somewhere above the chrooted directory) will then be the home directory indicated in /etc/passwd for the user ftp. The server will then Using this option, is becomes possible for local network users to be chrooted to a different directory than users from the Internet, for example. This option configures the anonymous-root directive.
- Guest root directories
This option, much like the previous option, configures the chroot behavior of the server. In this case, however, it configures for guest users who have logged in with a valid user name and password. So, it is possible to set the chroot environment to /home, causing users to be unable to traverse the directory tree below that point. The initial working directory, unless otherwise specified, will be the users home directory specified in the /etc/passwd. This option configures the guest-root directive.
- Unix groups for anonymous users
Here you may configure the default UNIX group whose permissions will apply to anonymous users of a given class. This option configures the autogroup directive.
- Anonymous FTP password check
The server always performs a user name and password authentication check, before permitting access. The convention is to accept a blank user name, and the valid email address of the user. Here you can configure how strict the checking of the given email address is, and whether to issue a warning, but still allow the login, or deny access, if the email address is invalid for some reason. This option configures the passwd-check directive.
- Anonymous FTP passwords to deny
If you wish to be more stringent about disallowing generated passwords, such as those presented by some web browsers, you may enter those addresses here. This will not prevent browser client users from accessing your server, it will merely force them to configure their browser to provide a legitimate email address. This option configures the deny-email directive.
This page allows you to configure the permissions that users of each type will have for given classes. You may create any number of permissions rules.
- Command restrictions
This section creates a number of different types of rules to regulate the various commands that a user may be able to perform on your server. The Command options are chmod, delete, overwrite, rename, and umask, which match the directive names. You may choose a user type, and a class for each rule.
- Disallowed upload filenames
Here you may specify regular expressions to match filenames that may not be uploaded by a specified type or list of types and classes. The option also allows you to specify the path to a message file to be displayed if an upload is disallowed by the rule. By default, the message is located in /etc/pathmsg, and the server will revert to this if the path you provide is invalid. This option corresponds to the path-filter directive.
This page provides access to a few of the configuration options that don't wuite fit anywhere else. You are unlikely to need to alter any of these settings from their defaults.
- Long listing command, Short listing command, Plain listing,
Defines the command to be used for each of the types of file listing that a user may specify. The defaults are usually sane, and should only be modified if necessary. These options correlate to the lslong, lsshort, and lsplain directives.
- Shutdown notification file
Here you configure the path to the message that the server will display prior to shutting down. This option correlates to the shutdown directive and usually defaults to /etc/shutmsg.
- Service process nice level
This sets the niceness level for the FTP daemon process. This may be set per class of user, or for all classes. This option correlates to the nice directive.
- Default umask for uploaded files
This option defines the umask that is applied to uploaded files by users of the given class. This option correlates to the defumask directive.
Tidak ada komentar:
Posting Komentar