Configuring Anonymous FTP in Linux

Configuring Anonymous FTP in Linux

 

To configure anonymous FTP on Linux, you may want to install the anonftp package. Other ftp packages, like the proftp, wu-ftp also provides configuration files to allow anonymous ftp.

 

Run the following command to check if your Linux system has already installed the anonftp package.

 

# rpm -qa | grep anonftp

 

The command does not return any results, indicating that the anoftp package has not been installed.

 

 

Installing the Anonynous FTP Package

 

You can install the package from the installation CD.

 

Pop in the CD and use the Software Manager (in Mandrake Linux 8.0) to search and install the anonftp package.

 

If you are installing by command line, go to the directory on the CD that has the rpm package and type:

 

# cd /mnt/cdrom/Mandrake/RPMS

 

and then run the following command:

 

# rpm -ivh anonftp-3.0-17mdk.i586.rpm

 

error: failed dependencies:

wu-ftpd is needed by anonftp-3.0-17mdk

anonftp conflicts with proftpd-1.2.2-0.rc1.3mdk9

 

From the above results, the rpm installer suggests that the proftp package need to be removed and that the wu-ftpd package needs to be installed.

 

I tried to install the wu-ftpd without removing the proftpd package and it gives me an error message. So I will remove the proftpd package.

 

# rpm -e proftpd-1.2.2-0.rc1.3mdk

 

To verify that the proftpd package is removed, type

 

# whereis proftpd

proftpd:

 

You can also check via the Software Manager to see that the package has been removed.

 

Proceed with installation of the wu-ftpd package.

 

# rpm -ivh wu-ftpd-2.6.1-10mdk.i586.rpm

wu-ftpd ##################################################

 

Next, install the anonftpd package.

 

# rpm -ivh anonftp-3.0-17mdk.i586.rpm

anonftp ##################################################

 

 

To verify the anonftpd and the wu-ftpd packages have been installed, type

 

# rpm -qa | grep ftp

ftp-0.17-4mdk

lftp-2.3.8-2mdk

wu-ftpd-2.6.1-10mdk

gftp-2.0.7b-2mdk

anonftp-3.0-17mdk

 

For your information, the anonftpd package is installed on the host venus. On the other hand, host mercury does not have the anonftpd package and has the proftpd package instead.

 

 

On host mercury

 

ftp to host venus

 

ftp venus

Connected to venus.localdomain.

220 venus.localdomain FTP server (Version wu-2.6.1(1) Wed Feb 21 12:30:49 CET 2001) ready.

Name (venus:root):

 

Enter anonymous

 

Name (venus:root): anonymous

331 Guest login ok, send your complete e-mail address as password.

Password:

 

You will be prompted for a password. You can enter your e-mail address or even a bogus e-mail address.

 

230 Guest login ok, access restrictions apply.

Remote system type is UNIX.

Using binary mode to transfer files.

ftp>

 

Yes, the anonymous login is successful. From this prompt, you can execute the ftp commands.

 

ftp> ls

200 PORT command successful.

150 Opening ASCII mode data connection for directory listing.

total 32

d–x–x–x 2 root root 4096 Dec 31 16:33 bin

d–x–x–x 2 root root 4096 Dec 31 16:33 etc

drwxr-xr-x 2 root root 4096 Dec 31 16:33 lib

drwxr-xr-x 2 root 50 4096 Mar 10 16:41 pub

26 Transfer complete.

 

Now let’s try to ftp to host mercury from host venus. Remember, host mercury disallow anonymous ftp login.

 

 

On host venus

 

# ftp mercury

Connected to mercury.localdomain.

220 ProFTPD 1.2.2rc1 Server (ProFTPD Default Installation) [mercury.localdomain]

Name (mercury:root): anonymous

331 Password required for anonymous.

Password:

530 Login incorrect.

Login failed.

 

The anonymous ftp login failed.

 

 

The basic process for anonymous account setup includes the following:

 

1. Create the ftp login in the /etc/passwd and /etc/shadow files

 

Observation

# more /etc/passwd | grep ftp

ftp:x:14:50:FTP User:/var/ftp

 

The ftp user has been created here by default during installation of Linux. ftp user exist even for other ftp packages.

 

 

2. Make sure the ftp account name does not appear in the /etc/ftpusers file.

 

Observation

 

# more /etc/ftpusers

root

bin

daemon

adm

lp

sync

shutdown

halt

mail

news

uucp

operator

games

nobody

 

3. Set up the required FTP environment.

 

4. Test the account.

 

Note

The anonymous account is inherently dangerous and should avoided when possible.

 

 

Log ftp Activity

 

When an ftp login took place, the following message is recorded in the /var/log/syslog file,

 

Mar 21 16:28:32 venus ftpd[2445]: ANONYMOUS FTP LOGIN FROM venus.localdomain [169.254.34.253], isa@yahoo.com

 

When an ftp session ended, the following message is recorded

 

Mar 21 16:30:08 venus ftpd[2445]: FTP session closed

 

Anonynous FTP Using proftp

 

The FTP User Account:anonymous

 

To allow anonymous FTP access by other users to your system, you must have a user account named FTP.

 

# more /etc/passwd | grep ftp

ftp:x:14:50:FTP User:/var/ftp

 

The x in the password field blocks the account, which prevents any other users from gaining access to it. When FTP user logs in to your system, they are placed in the /var/ftp directory.If a home directory has not been created, create one and change the ownership to the FTP user.

 

Creating New FTP Users

 

You may want to create new FTP user when you are creating virtual FTP hosts. For example, to create an FTP server for a host named venus1-ftp, you would type:

 

# useradd -d /var/venus1-ftp venus1-ftp

 

 

To check the new ftp account in the /etc/passwd file, type:

 

# more /etc/passwd | grep venus1-ftp

venus1-ftp:x:507:511::/var/venus1-ftp:/bin/bash

 

 

To check if the directory /var/venus1-ftp has been created, type:

 

# ls -ld /var/venus1-ftp/

drwx—— 3 venus1-f venus1-f 4096 Apr 3 10:48 /var/venus1-ftp

 

Yes, the home directory has been created. If not, you will have to create the directory and set the permissions. To set its permissions to give restricted access, type:

 

# chmod 755 /var/venus1-ftp/

 

 

Check that the permissions has been changed as shown below.

 

# ls -ld /var/venus1-ftp/

drwxr-xr-x 3 venus1-f venus1-f 4096 Apr 3 10:48 /var/venus1-ftp//˜

 

 

You will also need to make sure that the root ser owns the directory, not the FTP users. This gives control to the root user and not to the any user that logs in. To change owner to the rott user, type:

 

# chown root.root /var/venus1-ftp

 

 

Check that the changes to the owners have been made.

 

# ls -ld /var/venus1-ftp/

drwxr-xr-x 3 root root 4096 Apr 3 10:48 /var/venus1-ftp//

 

Yes, root user now owns the ftp home directory.

 

Checking the FTP Service

 

To check if the FTP service is running, type:

 

# ps -ef|grep proftp

nobody 1529 1 0 10:30 ? 00:00:00 proftpd (accepting connections)

nobody 2063 1529 0 11:04 ? 00:00:00 proftpd: connected: mercury.loca

root 2075 1880 0 11:06 pts/1 00:00:00 grep proftp

 

To check the ftp package that is installed, type:

 

# rpm -q proftpd

proftpd-1.2.2-0.rc1.3mdk

 

 

To read more about the proftpd package, type:

 

# rpm -q proftpd

proftpd-1.2.2-0.rc1.3mdk

[root@venus log]# rpm -qi proftpd

Name : proftpd Relocations: (not relocateable)

Version : 1.2.2 Vendor: MandrakeSoft

Release : 0.rc1.3mdk Build Date: Sun 08 Apr 2001 03:54:02 PM SGT

Install date: Wed 28 Mar 2007 10:51:05 AM SGT Build Host: bi.mandrakesoft.com

Group : System/Servers Source RPM: proftpd-1.2.2-0.rc1.3mdk.src.rpm

Size : 1262867 License: GPL

Packager : Linux-Mandrake Team <bugs@linux-mandrake.com>

URL : http://www.proftpd.org/

Summary : ProFTPd — Professional FTP Server.

Description :

ProFTPd is an enhanced FTP server with a focus toward simplicity, security,

and ease of configuration. It features a very Apache-like configuration

syntax, and a highly customizable server infrastructure, including support for

multiple ‘virtual’ FTP servers, anonymous FTP, and permission-based directory

visibility.

 

This version supports both standalone and xinetd operation.

 

 

If you want to list the configuration files and executable files that were installed for the proftp package, you can use the rpm command with the -ql option as shown below.

 

# rpm -ql proftpd

/etc/ftpusers

/etc/logrotate.d/proftpd

/etc/pam.d/ftp

/etc/proftpd.conf

/etc/rc.d/init.d/proftpd

/usr/bin/ftpcount

/usr/bin/ftpwho

/usr/sbin/ftpshut

/usr/sbin/genuser.pl

/usr/sbin/in.ftpd

/usr/sbin/in.proftpd

/usr/sbin/proftpd

/var/ftp

/var/ftp/pub

/var/log/proftpd

/var/run/proftpd

 

output truncated for clarity

 

 

Now let’s edit the /etc/proftpd.conf file to allow ftp. But before that, make a copy of the configuration file as shown below.

 

# cd /etc

# cp -p proftpd.conf proftpd.conf.bkp

 

A sample of the Anonymous FTP script

 

This sample which allows for anonymous ftp in proftp is taken from the file:/usr/share/doc/proftpd-1.2.2/anonymous.conf

 

# Our “basic” anonymous configuration, including a single

# upload directory (“uploads”)

<Anonymous ~ftp>

# Allow logins if they are disabled above.

<Limit LOGIN>

AllowAll

</Limit>

# Maximum clients with message

MaxClients 5 “Sorry, max %m users — try again later”

User ftp

Group ftp

# We want clients to be able to login with “anonymous” as well as “ftp”

UserAlias anonymous ftp

# Limit WRITE everywhere in the anonymous chroot

<Limit WRITE>

DenyAll

</Limit>

# An upload directory that allows storing files but not retrieving

# or creating directories.

<Directory uploads/*>

<Limit READ>

DenyAll

</Limit>

<Limit STOR>

AllowAll

</Limit>

</Directory>

</Anonymous>

 

Copy and paste this sample to the /etc/proftpd.conf file. Then save and quit. Remember you will need to restart the proftpd daemon every time you edit the /etc/proftpd file. To restart the proftpd daemon, type:

 

cd /etc/init.d

[root@venus init.d]# ./proftpd restart

 

 

On remote host, mercury, type:

 

# ftp venus

Connected to venus.localdomain.

220 ProFTPD 1.2.2rc1 Server (ProFTPD Default Installation) [venus.localdomain]

Name (venus:root): ftp

331 Anonymous login ok, send your complete email address as your password.

Password:

230 Anonymous access granted, restrictions apply.

Remote system type is UNIX.

Using binary mode to transfer files.

ftp> pwd

257 “/” is current directory.

ftp> ls

200 PORT command successful.

150 Opening ASCII mode data connection for file list.

drwxr-xr-x 2 ftp ftp 4096 Apr 3 04:12 pub

226-Transfer complete.

226 Quotas off

 

 

On host, venus:

 

The /var/log/secure file showing successful anonymous login from host mercury to host venus, using username, ftp

 

Apr 3 12:16:06 venus proftpd[2566]: venus.localdomain (mercury.localdomain[169.254.34.254]) – ANON ftp: Login successful.

 

Try ftp again from remote host, mercury to host, venus. This time use the username anonymous instead of username ftp. This is to show that the alias configured on the proftpd configuration file (/etc/proftpd.conf) works.

 

 

On remote host, mercury, type:

 

# ftp venus

Connected to venus.localdomain.

220 ProFTPD 1.2.2rc1 Server (ProFTPD Default Installation) [venus.localdomain]

Name (venus:root): anonymous

331 Anonymous login ok, send your complete email address as your password.

Password:

230 Anonymous access granted, restrictions apply.

Remote system type is UNIX.

Using binary mode to transfer files.

ftp> ls

200 PORT command successful.

150 Opening ASCII mode data connection for file list.

drwxr-xr-x 2 ftp ftp 4096 Apr 3 04:12 pub

226-Transfer complete.

226 Quotas off

ftp>

 

 

On host, venus:

 

The /var/log/secure file showing successful anonymous login from host mercury to host venus, using username, anonymous.

 

Apr 3 12:18:33 venus proftpd[2567]: venus.localdomain (mercury.localdomain[169.254.34.254]) – ANON anonymous: Login successful.

 

Hence the alias that is configured for anonymous ftp login works. This means that we can use either the ftp or anonymous usernames

 

Explanation of how the anonymous ftp works for usernames ftp and anonymous

 

The anonymous ftp for username ftp works because of the directive that reads:

 

<Anonymous ~ftp>

 

Here ~ftp actually refers to the home directory of the ftp user which is /home/ftp. You can have the username e.g. ultraman and the directive will be written as <Anonymous /home/ultraman>

 

The next two lines are also important:

 

User ftp

Group ftp

 

We have also tested a user can also ftp using the alias, anonymous instead of username ftp. This is possible because of the following lines:

 

# We want clients to be able to login with “anonymous” as well as “ftp”

UserAlias anonymous ftp

 

 

Creating a New ftp User for Anonymous FTP Logins

 

This section will describes in detail on how to create a ftp user, venus1-ftp for anonymous ftp logins

 

On ftp server, venus

 

The /etc/proftpd.conf file had been edited to include the following statements:

 

# Our “basic” anonymous configuration, including a single

# upload directory (“uploads”)

<Anonymous ~venus1-ftp>

# Allow logins if they are disabled above.

<Limit LOGIN>

AllowAll

</Limit>

# Maximum clients with message

MaxClients 5 “Sorry, max %m users — try again later”

User venus1-ftp

Group venus1-ftp

# We want clients to be able to login with “anonymous” as well as “ftp”

UserAlias anonymous ftp

# Limit WRITE everywhere in the anonymous chroot

<Limit WRITE>

DenyAll

</Limit>

 

# An upload directory that allows storing files but not retrieving

# or creating directories.

<Directory uploads/*>

<Limit READ>

DenyAll

</Limit>

 

<Limit STOR>

AllowAll

</Limit>

</Directory>

</Anonymous>

 

Note:From the above sample, I have edited the 3rd line (in bold) to read “<Anonymous ~venus1-ftp>” instead of the default <Anonymous ~ftp>

 

I also notice that I am unable to use the usernames ftp or anonymous since I have make the above change.

 

 

So the trick to allow anonymous ftp for your newly created ftp user is the statement,

<Anonymous ~venus1-ftp>

 

Another important parameter is the following:

 

User venus1-ftp

Group venus1-ftp

 

The User and Group entries must refer to the account which we want to enable anonymous ftp, in this case the user, venus1-ftp.

 

Note

If you want to enable anonymous access, you need to add and Anonymous. directive block that is similar to this one:

 

<Anonymous /var/ftp>

 

User ftp

Group ftp

RequireValidShell off

UserAlias anonymous ftp

</Anonymous>

 

The above shows that the system is configured to accept anonymous using the ftp account and to run as the user and group ftp. The RequireShell off line is necessary if the /etc/passwd entry for the ftp user specifies a shell that is not listed in the /etc/shells. If the /etc/ftpusers fle includes the ftp user, you may need to remove that entry from the ftpusers file.

 

 

The /var/log/secure log file shows this:

 

Apr 3 14:02:42 venus proftpd[3802]: venus.localdomain (mercury.localdomain[169.254.34.254]) – ANON venus1-ftp: Login successful login

 

 

 

Allowing Only Anonymous Access

 

To allow only the ftp user or anonymous access to your FTP server, you need to to use the <Limit LOGIN> DIRECTIVE. Globally, you set the Limit directive to the following:

 

<Limit LOGIN>

DenyAll

</Limit>

 

 

This directive tells the FTP server not allow any logins for normal users. Under the <Anonymous> directive, you need to override the global <Limit LOGIN> directive as follow:

 

<Anonymous ~ftp>

<Limit LOGIN>

AllowAll

</Limit>

 

Allowing Only Users to log In

 

Allowing users is just opposite logic from the above example. You need to set the <Limit LOGIN> directive to DenyAll in the <Anonymous> directive block.

 

After making these changes, you need to test out the server and verify that indeed normal users cannot log into the system and only the anonymous user is allowed.

 

Adding FTP to xinetd

 

To have ProFTP run with xinetd, you should add a file in the /etc/xinetd.d/ that will describe what service to start for FTP. The following is an example xinetd configuration file, /etc/xinetd.d/ftp.

 

Service ftp

{

flags = REUSE

socket_type= stream

instances = 50

wait = no

user = root

server = /usr/local/sbin/proftp

bind = 192.168.1.101

}

 

The bind IP address should be the address that exists on your server.

 

After you have made your configuration changes and configured xinetd.conf, you need to restart xinetd so it wil listen for FTP requests. This is done by typing:

 

# /etc/init.d/xinetd restart

 

 

About these ads
This entry was posted in ftp, mandrake8, superserver, xinetd. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s