Andrew Hudson - Fedora™ Unleashed, 2008 edition

500 Illegal PORT command.

ftp: bind: Address already in use

ftp>

ftp> pass

Passive mode on.

ftp> ls

227 Entering Passive Mode (204,86,112,12,187,89).

150 Opening ASCII mode data connection for file list

-rw-r--r-- 1 gbush gbush 8470 Jan 10 2000 LinuxUnleashed.gif

-rw-r--r-- 1 gbush gbush 4407 Oct 4 2001 RHU72ed.gif

-rw-r--r-- 1 gbush gbush 6732 May 18 2000 SuSEUnleashed.jpg

-rw-r--r-- 1 gbush gbush 6175 Jan 10 2000 TYSUSE.gif

-rw-r--r-- 1 gbush gbush 3135 Jan 10 2000 Tzones.gif

...

Browse to http://slacksite.com/other/ftp.html for a detailed discussion regarding active and passive FTP modes and the effect of firewall blocking of service ports on FTP server and client connections.

Another default setting is that specific user login controls are not set, but you can configure the controls to deny access to one or more users.

The data transfer rate for anonymous client access is unlimited, but you can set a maximum rate (in bytes per second) by using the anon_max_ratesetting in vsftpd.conf. This can be useful for throttling bandwidth use during periods of heavy access. Another default is that remote clients are logged out after five minutes of idle activity or a stalled data transfer. You can set idle and transfer timeouts (stalled connections) separately.

Other settings that might be important for managing your system's resources (networking bandwidth or memory) when offering FTP access include the following:

► dirlist_enable— Toggles directory listings on or off.

► dirmessage_enable— Toggles display of a message when the user enters a directory. A related setting is ls_recurse_enable, which can be used to disallow recursive directory listings.

► download_enable— Toggles downloading on or off.

► max_clients— Sets a limit on the maximum number of connections.

► max_per_ip— Sets a limit on the number of connections from the same IP address.

wu-ftpuses a number of configuration files to control how it operates, including the following:

► ftpaccess— Contains the majority of server configuration settings

► ftpconversions— Contains definitions of file conversions during transfers

► ftphosts— Holds settings to control user access from specific hosts

These files may be created in the /etcdirectory during RPM installation, or may be created by a system administrator. The following sections describe each of these files and how to use the commands they contain to configure the wu-ftpserver so that it is accessible to all incoming requests.

When configuring an anonymous FTP server, it is extremely important to ensure that all security precautions are taken to prevent malicious users from gaining privileged-level access to the server. Although this chapter shows you how to configure your FTP server for secure use, all machines connected to the Internet are potential targets for malicious attacks. Vulnerable systems can be a source of potential liability, especially if anyone accesses and uses them to store illegal copies of proprietary software — even temporarily. There is little value in configuring a secure FTP server if the rest of the system is still vulnerable to attack. Use Red Hat's lokkitor system-config-securitylevel client to implement a firewall on your system.

The ftpaccessfile contains most of the server configuration details. Each line contains a definition or parameter that is passed to the server to specify how the server is to operate. The directives can be broken down into the following categories, including:

► Access Control— Settings that determine who can access the FTP server and how it is accessed

► Information— Settings that determine what information is provided by the server or displayed to a user

► Logging— Settings that determine whether logging is enabled and what information is logged

► Permission Control— Settings that control the behavior of users when accessing the server; in other words, what actions users are allowed to perform, such as create a directory, upload a file, delete a file or directory, and so on

Many more options can be specified for the wu-ftpdFTP server in its ftpaccessfile. The most common commands have been covered here. A full list of configuration options can be found in the ftpaccessman page after you install the server.

You can edit the ftpaccessfile at the command line to make configuration changes in any of these categories. The following sections describe some configuration changes and how to edit these files to accomplish them.

Controlling which users can access the FTP server and how they can do so are critical parts of system security. Use the following entries in the ftpaccessfile to specify to which group the user accessing the server is assigned.

This command imposes increased security on the anonymous user:

autogroup []

If the anonymous user is a member of a group, he is allowed access to only files and directories owned by him or his group. The group must be a valid group from /etc/groupsor /var/ftp/etc/groups.

This command defines a class of users by the address to which the user is connected:

class []

There might be multiple members for a class of users, and multiple classes might apply to individual members. When multiple classes apply to one user, the first class that applies is used.

The typelistfield is a comma-separated list of the keywords anonymous, guest, and real. anonymousapplies to the anonymous user, and guestapplies to the guest access account, as specified in the guestgroupdirective. realdefines those users who have a valid entry in the /etc/passwdfile.

The addrglobfield is a regular expression that specifies addresses to which the class is to be applied. The ( *) entry specifies all hosts.

Sometimes it is necessary to block entire hosts from accessing the server. This can be useful to protect the system from individual hosts or entire blocks of IP addresses, or to force the use of other servers. Use this command to do so:

deny

denyalways denies access to hosts that match a given address.

addrglobis a regular expression field that contains a list of addresses, either numeric or DNS names. This field can also be a file reference that contains a listing of addresses. If an address is a file reference, it must be an absolute file reference; that is, starting with a /. To ensure that IP addresses can be mapped to a valid domain name, use the !nameserverparameter.

A sample denyline resembles the following: