لطفا منتظر باشید ...
Basic FTP
Server Configuration
Once you've installed an FTP server package,
you'll want to get it running. As a general rule, distributions that use
WU-FTPD run it from a super server, while those that use ProFTPd run it from a
SysV startup script. You can change these options if you like, though. On most
distributions, getting the server to run is the only configuration option to
which you must attend for basic functionality, because the default
configurations work well for many purposes. Specifically, the default
configuration allows users with accounts on the system to log in and transfer
files to and from their home directories. You may need to alter these
configurations if you want to have FTP serve some other role, or if you want to
adjust configuration defaults. One common FTP server configurationanonymous
FTPis covered in the upcoming section, "
handling this role.
Running the FTP Server
Consult
Servers, for detailed information about running servers from a super server,
SysV startup scripts, and local startup scripts. If you're using an FTP server
package that shipped with your distribution, chances are you'll need to make
few or no changes to get the server to run. There are a few caveats you
should consider, though: Some distributions that use inetd ship
with an /etc/inetd.conf file that includes separate entries for the different FTP servers. You
may be able to install multiple FTP servers and switch between them by
commenting out the inetd.conf entry for the server you don't want
to use and restarting inetd . If you install only one FTP server, you must be sure to uncomment only the entry for the appropriate server. If you
uncomment the wrong entry, your FTP server won't work. Most distributions that use xinetd include
a file in /etc/xinetd.d to start the FTP server. This file is part of the FTP server
package. This file probably includes a line that reads disable = yes ,
which has the effect of disabling the FTP server configuration. This entry
exists as a security measure; it forces you to actively change the entry to
read disable = no in order to run the FTP server. (You must also restart xinetd to have
this change take effect.) Whether run from inetd or xinetd , FTP
servers can accept parameters. The standard configuration files include
appropriate parameters for typical installations using the FTP servers that
ship with the distribution. If you want to use a different FTP server, you may
need to adjust the parameters that are passed to the server, as well as the
server's filename, in your super server configuration file.If your FTP site is extremely popular, you
might want to run your FTP server via a SysV or local startup script. Doing so
will produce slightly quicker responses to incoming FTP requests, but FTP
servers are small enough that this effect is fairly minimal. A few
installations, such as Debian's and Mandrake's ProFTPd installations, run in
this way by default, perhaps because ProFTPd most easily supports anonymous FTP
when it's run as a standalone server.Before proceeding with further configuration,
you may want to check that the FTP server is working for conventional
authenticated logins (that is, using a username/password pair). At the very
least, the server should respond with some sort of login prompt when you try to
use an FTP client from a remote host. For instance, consider the following
exchange, using the basic Linux ftp program: $ ftp harding.threeroomco.com ftp: connect: Connection refused
This indicates that the FTP server isn't
running at all. If you get this response, you should check your system log
files for clues about why the server isn't running. If you just installed the
server, you must remember to start it running or restart your super server. Once
you've gotten a response out of the server, you can continue to fine-tune its
configuration.
WU-FTPD Configuration
Configuring WU-FTPD requires editing one or
more of several configuration files. Using these files, you can control who may
access the FTP server and what users can do with the server. Some files also
set up special options that permit WU-FTPD to process files or execute advanced
commands for users.
WU-FTPD Configuration Files
Most distributions that use WU-FTPD place its
configuration files directly in /etc . There are several WU-FTPD
configuration files, and their names all begin with ftp : ftpaccess This is the most complex WU-FTPD configuration file, and is
described in more detail shortly. It's used to set logging options, permissions
used by anonymous access, low-level TCP/IP options, and so on. ftpconversions One of the features you can activate in ftpaccess is
the ability to automatically compress files or archive directories prior to
transmission to the client. To use this feature, you must define file types to
be archived or compressed in this file. ftphosts You can limit the hosts and even users who may access your FTP
server by using this file. Lines that begin with allow explicitly allow
the specified hosts, and those that begin with deny explicitly deny the
specified hosts. For instance, deny sjones prevents the user called sjones from
using FTP, and deny badsite.pangaea.edu prevents all users from badsite.pangaea.edu from logging in. ftpusers This file contains a list of local users who aren't allowed to use
the WU-FTPD server. This file operates through the Pluggable Authentication
Module (PAM) system; it's technically not part of WU-FTPD. Nonetheless, it can
be a useful way to protect your FTP server from abuse. The default version of
this file contains various system account names, such as root , nobody , and daemon . You
can add more such account names if you need to create them for other servers or
for special purposes. ftpservers Normally, WU-FTPD presents the same options to all clients. You
can use this file to specify an entirely separate configuration for specified
hosts, though. Each line in this file is an IP address, hostname, or domain
name followed by a directory name. WU-FTPD then looks to the specified
directory for the normal FTP configuration files if a connection request comes
from the specified client. For instance, 192.168.21.8 /etc/ftpd/trusted causes WU-FTPD to look in /etc/ftpd/trusted for
other configuration files if 192.168.21.8 makes a connection. Thus, you might
create a default configuration with tight controls on who may use the system,
but loosen those restrictions for specified clients, such as those on your
local network.Each of these files can be important in
implementing particular FTP server configurations. The most important file for
most options is ftpaccess , but ftphosts , ftpusers , and ftpservers can be useful in securing your server. If you want WU-FTPD to
process files it transfers, ftpconversions is the one to modify, possibly in conjunction with ftpaccess .
Common WU-FTPD Configuration Options
Many WU-FTPD configuration options are built
around the concept of a user class. This is a
logical grouping of users, similar in some ways to a Linux group. WU-FTPD
classes are defined in terms of the source IP address or hostname of the
client, though. You set up a class in ftpaccess by using the class option,
which takes the following form: class classname typelist addresslist
The components of this definition are as
follows: classname This is a name for the class. The default configuration for many
distributions defines a class called all , but you can change
or expand upon this definition. typelist This is a comma-separated list of the types of local accounts or
access types to which the class applies: real for local user
accounts, guest for guest accounts, and anonymous for anonymous
accounts. addresslist This is a list of IP addresses, hostnames, or domain names that
belong to the class. Preceding an entry with an exclamation mark ( ! ) causes that
entry to not be included in the list. An
asterisk ( * ) stands for all clients. If you include multiple entries, they're
combined with a logical OR operation. For instance, threeroomco.com , pangaea.edu creates a class for clients in either domain.The standard ftpaccess file includes a
definition similar to the following: class all real,guest,anonymous *
This entry sets up a default generic class
that applies to all types of access and assigns all callers to this class. To
fine-tune your configuration, you might create multiple classes, such as one
for local users and one for remote users. Even if the class entries
are identical except for the addresslist , you can use them
differently in subsequent options. Some of these additional options
include the following: deny addresslist
messagefile This option tells WU-FTPD to
deny all access to the specified addresses. It's similar to a deny specification in ftphosts , but you can specify a filename that's to be sent to the host as a
rejection notice so that users know why they weren't allowed in. autogroup groupname
class [,class...] You can have WU-FTPD perform a setgid operation to groupname if a member of a specified class logs in. You might do this to
allow anonymous members of the class to read files for which groupname has read access, but for which world read access doesn't exist. defumask umask
class [,class] This option tells WU-FTPD to create files with the specified umask for
members of a specified class , when a user uploads a file. timeout option
seconds You can set various timeout
values with this option. The option value may be accept , connect , data , idle , maxidle , or rfc931 . noretrieve
[relative|absolute] [class=classname] filenames This option tells WU-FTPD to disallow transfer of the specified
filenames. If a specified filename is actually a directory name, the entire
directory is restricted. You may optionally limit this option to a specified
class. The relative and absolute parameters refer to whether the file specifications are interpreted
as absolute (relative to the computer's true root directory) or relative to a chroot environment, as described in
a chroot Jail. By default, filenames beginning with a slash ( / ) are
interpreted as absolute. An example of this option might be noretrieve /etc /usr , which prevents transfer of any files in the /etc or /usr directories.TIP
align=left border=0> You may want to use noretrieve to disallow access to /etc/passwd , /etc/shadow , /etc/ftpaccess , core (in any directory), and any other sensitive site-specific files.
allowretrieve
[relative|absolute] [class=classname] filenames This option is an explicit counter to noretrieve ; it grants
exceptions to a noretrieve rule. Its syntax is identical to that of noretrieve . message filename [when] [class] This option lists a file to be displayed to the FTP client under
certain circumstances. Specifically, if when is login , the
message is displayed as soon as the user logs in. If when is cwd=dir ,
where dir is a particular directory, then the message is displayed when the
user moves into that directory. You may optionally limit this message to
certain classes of users by adding the class name to the end of the option. As
an example of this option in use, consider message .message cwd=* . This
causes WU-FTPD to send the contents of the .message file in a
directory whenever a user changes into that directory. This allows you to
create banner messages describing the contents of particular directories, or
the purpose of the FTP server as a whole. compress
[yes|no] class [,class] You
can enable compression using this option. If a file exists and a user requests
a file of that name but with an extra filename extension that indicates
compression added (such as file.gz rather than file ), then WU-FTPD will compress the original file and send it to the
user. The extensions that indicate compression are specified in the ftpconversions file. tar [yes|no] class [,class] This option works much like compress , but it applies
to creating tar files from directories. You can use this feature to provide a
simple way for users to retrieve entire directories worth of files. chmod , delete , overwrite , rename , and umask These options all take yes or no followed by
a typelist , as described earlier with reference to class definition. (You can
also use an existing class name.) When specified, these options permit or deny
use of the named FTP command by the client. For instance, delete no guest,anonymous configures WU-FTPD to forbid guest and anonymous users from
deleting files. dns
refuse_mismatch filename If a forward DNS lookup on the hostname obtained from a reverse
DNS lookup on the client's IP address doesn't match the original IP address,
this option causes WU-FTPD to deny the connection. First, though, it displays
the specified filename so that the user knows something is wrong. dns refuse_no_reverse filename This option causes WU-FTPD to refuse a connection if there's no
reverse DNS lookup on the client's IP address. WU-FTPD sends filename to the offender to explain the refusal.These are only a few of the most common and
useful WU-FTPD options. Consult the ftpaccess man page for
more. The upcoming section, "
set up an anonymous FTP site.
ProFTPd Configuration
ProFTPd's configuration style is inspired by
that of Apache, so if you're familiar with Apache configuration, you'll find
many of ProFTPd's option names and the general configuration style quite
familiar.
ProFTPd Configuration Files
The main ProFTPd configuration file is proftpd.conf ,
and it's usually stored in /etc . You set most ProFTPd options in this file. Some lines in this file
are comments, which begin with pound signs ( # ) and continue to the
end of the line. Most noncomment lines take the following form: Directive [ Value ]
A few directives accept multiple values as
options. Some directives are grouped together, as indicated by surrounding
directives in angle brackets ( <> ), such as the following grouping: <Limit WRITE> DenyAll Allow from 172.21.33. </Limit>
The closing directive for the group uses a
slash ( / ) to indicate that it's the end of that block of directives.In addition to the main configuration file,
ProFTPd uses the ftpusers file. ProFTPd uses this file in the same way as WU-FTPD uses the
file of the same name. Specifically, ProFTPd blocks the usernames listed in the
file from being used as FTP login usernames. (More precisely, ProFTPd relies
upon PAM for authentication, and PAM uses ftpusers to determine who
is not allowed access to the FTP server.) Default ProFTPd installations
generally include ftpusers files that list common system usernames, such as nobody , daemon , and root . You
should probably add any system accounts you create for unusual servers to this
list. You can also enter ordinary usernames, if those users should not have FTP
access to the system.
Common ProFTPd Configuration Options
ProFTPd supports a wide range of
configuration directives. These are detailed in the official ProFTPd
documentation, available at target="_blank">http://www.proftpd.org/docs/ . Chances are you don't need to use all of these options, though.First, it's necessary to know something of
the different types of directives that set up context blocks. Many directives
apply only within certain context blocks, so knowing what these blocks are can
be extremely important. The most common blocks are as follows: <Anonymous dirname > You
can create an anonymous FTP site by using this directive, in which you specify
directives that apply to anonymous FTP access, distinct from normal
username/password access. Anonymous users will be able to access files only within the specified dirname ;
ProFTPd does a chroot to this directory, as described in
specify a directory to which a set of directives will apply with this option. As
you might expect, dirname is the directory name. This name must normally be specified in an
absolute sensethat is, with a leading slash ( / ). Default ProFTPd
configuration files often include a block headed by <Directory /*> to specify the default behavior for all directories. <Global> The <Global> directive block sets options that apply globally to the main server
configuration and all <VirtualHost> configurations. <Limit command-group > This
option specifies a set of FTP client commands whose actions are to be limited
according to the directives that follow this option. The command-group is a set of one or more FTP commands, such as CWD , CDUP , MKD , RNFR , RNTO , DELE , RMD , RETR , and STOR . Special
grouping commands include READ (all read commands), WRITE (all writing commands), DIRS (all
directory-related commands), and ALL (all commands). You can also
use LOGIN to limit login access. <VirtualHost address >
ProFTPd can apply different directives depending upon how it's addressed by
using this option. You can specify an address as an IP
address or hostname, and when ProFTPd answers calls to that address, it uses
the directives included within its block.Most directives can be used within one or
more of the preceding blocks, and many can be used outside of any block as
global options. If a directive appears globally and within a directive block
(or in two nesting locations within nested blocks), the more nested instance
overrides the more global instance when the blocking condition applies. The
more common and useful directives include the following: Allow [from] network-specifier This directive is used within a <Limit> block to
specify what clients may access the resource in question. In particular, network-specifier is a comma-delimited list of IP addresses, hostnames, domain names
(preceded by a period), IP blocks (followed by a period), or the keywords all or none . You may
include from after Allow , but its use is optional and purely cosmetic; it doesn't affect the
function of the directive.TIP
align=left border=0> If possible, use IP addresses or IP blocks
rather than hostnames or domain names. This reduces the FTP server's reliance
upon the DNS server for this security function, thus making it more difficult
to break into the FTP server.
AllowAll ProFTPd implicitly allows access to directories, but this behavior
can be overridden in various ways. You may use AllowAll in a <Directory> , <Limit> , or <Anonymous> block to restore the default allowed access. AllowGroup group-list You can permit access to areas in a <Limit> block to
particular groups with this directive. The group-list is a
comma-separated list of groups, and a user must be a member of all the listed groups to pass this test. If a group
name is preceded by an exclamation mark ( ! ), its sense is reversed,
so you can allow users who are not members of
that group. This option is often used to override a denying directive that
would otherwise block access, such as DenyAll . AllowOverwrite
[on|off] You can allow users to overwrite
existing files with this directive. The default is off , which denies overwriting rights. AllowUser user-list This directive allows you to override a denying directive in order
to give a specific user or set of users access to a resource that's been
explicitly denied to others. If a username is preceded by an exclamation mark ( ! ), all users except that one are permitted access. DefaultRoot dirname [group-list]
You can tell ProFTPd to lock a user into a specified directory tree by
specifying its name with this option. The dirname must begin
with either a slash ( / ) for an absolute directory or a tilde ( ~ ) for the user's home
directory. You can have this directive apply to only some users by specifying
an appropriate group-list , which is like the list in AllowGroup .TIP
align=left border=0> You can prevent users from wandering into
others' directories, or into system directories, by including a DefaultRoot ~ directive as a global option. When so configured, ProFTPd allows
users to access only files within their home
directories.
DefaultTransferMode
[ascii|binary] FTP provides two common
transfer modes. Binary transfers the file exactly as-is, but ASCII provides for
conversion between text file formats. Most commonly, UNIX-, DOS-, and
Macintosh-style end-of-line characters are converted in an ASCII transfer. Although
ASCII transfers can be convenient for text files, they're disastrous for binary
files, which are corrupted when transferred using ASCII mode. ProFTPd lets you
set the default transfer mode with the DefaultTransferMode directive.
This directive defaults to ascii . Deny [from] network-specifier This directive is the opposite of Allow ; it blocks clients
from accessing a resource within a <Limit> block. DenyAll You can use this directive within a <Limit> , <Anonymous> , or <Directory> block to deny all users access to the specified resource. You might
want to follow it with some specific allow options to loosen the restrictions
for particular users. DenyGroup group-list This directive allows you to specify a group that's to be denied
access in a <Limit> block. The group-list is defined the same way as in the AllowGroup directive. DenyUser user-list This directive works like AllowUser , except that it
blocks access to a resource specified by <Limit> , rather
than enabling access. DisplayConnect filename ProFTPd displays filename when the user connects, but
before a logon is complete, if you use this directive. DisplayFirstChdir filename This directive causes ProFTPd to display the contents of filename the first time a user moves into a directory. This often defaults to .message ,
which causes the .message file in the target directory to be displayed to users. DisplayLogin filename This directive is much like DisplayConnect , but its
message appears after a user has successfully
logged in. Group groupid When run as a standalone server, ProFTPd starts up as root , but
changes identity as quickly as possible to minimize the security risk of a
server running as root . You set the group to which it changes with this directive. Many default
configurations set the group to nogroup , ftp , or some other
low-privilege group. MaxClients number |none You
can limit the number of clients that may log in with this directive. If you
specify a number (such as 30 ), that's the limit; none is a code that disables this feature. MaxInstances number This directive is similar to MaxClients in that both
limit the number of connections ProFTPd accepts. MaxInstances , though,
works on connections, rather than successful
logins as MaxClients uses. MaxInstances is ineffective if you launch ProFTPd from a super server, but super
servers provide similar functionality themselves. Order allow,deny|deny,allow When both allow and deny directives appear in a <Limit> block, ProFTPd checks all allow directives, then all deny directives by
default. The result is that the allow directives take precedence, and any
access that's not explicitly denied is allowed. You can use Order deny,allow to change this ordering, giving deny directives precedence and
making denial the default behavior. RootLogin on|off By default, ProFTPd denies access to root as a security
measure. You can change this behavior by setting RootLogin on . (You may
also need to adjust other features, such as removing root from /etc/ftpusers .) ServerIdent on|off
["ident-string"] This
directive tells ProFTPd whether to identify itself when users connect. If set
to on , you can specify an identification string. The default
configuration usually identifies the server as being ProFTPd, which may be more
information than you care to make readily available, so changing this string is
advisable. ServerName
"ident-string" This directive sets
part of the name used by the default ServerIdent directive. You
can override both with ServerIdent alone, but if you want to make a more modest change, you can alter ServerName alone. ServerType inetd|standalone You must set this directive
correctly for your configuration. If you run ProFTPd through a super server,
set ServerType to inetd ; if you run the server from a SysV or local startup script, use standalone . This
tells ProFTPd whether to expect to be run as an ordinary user and service
requests directly ( inetd ) or to be run as root, spawning processes to handle specific
connections ( standalone ). SyslogLevel emerg|alert|crit|error|warn|notice|info|debug This directive sets the verbosity of ProFTPd's logging
information. emerg is least verbose, debug is most verbose, and the others fall
in between. TransferLog filename |NONE You
can specify a log file to hold information on file transfers, or disable this
feature by specifying NONE . You can set this option to create multiple log files for different
purposes by using it independently in <Anonymous> , <VirtualHost> , <Global> , and the general (ungrouped) configuration areas. Umask file-mask [directory-mask] This directive specifies the umask to be used when creating new
files (and, if specified, directories). The default is usually 022 , which is
reasonable for many systems. UseFtpUsers on|off You can turn off ProFTPd's use of the /etc/ftpusers file by
setting UseFtpUsers off . The default value is on . UserAlias alias
username ProFTPd normally uses the
username provided during the login process as the username for authentication. You
can create aliases, though, which are treated
just like the specified username. For instance, UserAlias rjones ronald causes any login attempt as rjones to be authenticated against the ronald user account. (This
configuration is common for anonymous access, which often uses the ftp account
internally.) These directives, and others not described
here, combine to give ProFTP a great deal of configurability. Most
installations create a standard login ability, so that users may log in and
access their own files. There may also be a standard <Anonymous> section to support anonymous logins, which ignore the password and
so may be used by anybody. The anonymous configuration may require a few
additional changes, as well as placement of files to be accessed by anonymous
users, to be useful.
