Andrew Hudson - Fedora™ Unleashed, 2008 edition

deny *.exodous.net /home/ftp/.message_exodous_deny

This entry denies access to the FTP server from all users who are coming from the exodous.net domain, and displays the message contained in the .message_exoduous_denyfile in the /home/ftpdirectory.

Certain accounts for the system to segment and separate tasks with specific permissions are created during Linux installation. The ftpusersfile (located in /etc/ftpusers) is where accounts for system purposes are listed. It is possible that the version of wu-ftpyou use with Fedora deprecates the use of this file, and instead implements the specific functionality of this file in the ftpaccessfile with the commands of deny-uid/deny-gid.

The guestgroupline assigns a given group name or group names to behave exactly like the anonymous user. Here is the command:

guestgroup []

This command confines the users to a specific directory structure in the same way anonymous users are confined to /var/ftp. This command also limits these users to access files for which their assigned group has permissions.

The groupnameparameter can be the name of a group or that group's corresponding group ID (GID). If you use a GID as the groupnameparameter, put a percentage symbol ( %) in front of it. You can use this command to assign permissions to a range of group IDs, as in this example:

guestgroup %500-550

This entry restricts all users with the group IDs 500-550 to being treated as a guest group, rather than individual users. For guestgroupto work, you must set up the users' home directories with the correct permissions, exactly like the anonymous FTP user.

The guestuserline works exactly like the guestgroupcommand you just read about, except it specifies a user ID (UID) instead of a group ID. Here's the command:

guestuser []

This command limits the guest user to files for which the user has privileges. Generally, a user has more privileges than a group, so this type of assignment can be less restrictive than the guestgroupline.

The limitcommand restricts the number of users in a class during given times. Here is the command, which contains fields for specifying a class, a number of users, a time range, and the name of a text file that contains an appropriate message:

limit

If the specified number of users from the listed class is exceeded during the given time period, the user sees the contents of the file given in the message_fileparameter.

The timesparameter is somewhat terse. Its format is a comma-delimited string in the form of days, hours. Valid day strings are Su, Mo, Tu, We, Th, Fr, Sa,and Any. The hours string is formatted in a 24-hour format. An example is as follows:

limit anonymous 10 MoTuWeThFr,Sa0000-2300 /home/ftp/.message_limit_anon_class

This line limits the anonymous class to 10 concurrent connections on Monday through Friday, and on Saturday from midnight to 11:00 p.m. For example, if the number of concurrent connections is exceeded at 11:00 p.m. on Saturday, the users will see the contents of the file /home/ftp/.message_limit_anon_class.

Syntax for finer control over limiting user connections can be found in the ftpaccessman page.

This line allows control over how many times a user can enter an invalid password before the FTP server terminates the session:

loginfails

The default for loginfailsis set to 5. This command prevents users without valid passwords from experimenting until they get it right.

Providing users with information about the server and its use is a good practice for any administrator of a public FTP server. Adequate user information can help prevent user problems and eliminate tech support calls. You also can use this information to inform users of restrictions governing the use of your FTP server. User information gives you an excellent way to document how your FTP server should be used.

You can use the commands detailed in the following sections to display messages to users as they log in to the server and as they perform specific actions. The following commands enable messages to be displayed to users when logging in to the server and when an action is performed.

This command is a reference to a file that is displayed before the user receives a login prompt from the FTP server:

banner

This file generally contains information to identify the server. The path is an absolute pathname relative to the system root (/), not the base of the anonymous FTP user's home. The entry might look like this:

banner /etc/rh8ftp.banner

This example uses the file named rh8ftp.bannerunder the /etcdirectory. The file can contain one or more lines of text, such as:

Welcome to Widget, Inc.'s Red Hat Linux FTP server.

This server is only for use of authorized users.

Third-party developers should use a mirror site.

When an FTP user attempts to log in, the banner is displayed like so:

$ ftp shuttle2

Connected to shuttle2.home.org.

220-Welcome to Widget, Inc.'s Red Hat Linux FTP server.

220-This server is only for use of authorized users.

220-Third-party developers should use a mirror site.

220-

220-

220 shuttle2 FTP server (Version wu-2.6.2-8) ready.

504 AUTH GSSAPI not supported.

504 AUTH KERBEROS_V4 not supported.

KERBEROS_V4 rejected as an authentication type

Name (shuttle2:phudson):

Note that the banner does not replace the greeting text that, by default, displays the hostname and server information, such as:

220 shuttle2 FTP server (Version wu-2.6.2-8) ready.

To hide version information, use the greetingcommand in ftpaccesswith a keyword, such as terse, like so:

greeting terse

FTP users then see a short message like this as part of the login text:

220 FTP server ready.

Also, not all FTP clients can handle multiline responses from the FTP server. The banner command is what the banner line uses to pass the file contents to the client. If clients cannot interrupt multiline responses, the FTP server is useless to them. You should also edit the default banner to remove identity and version information.

This line specifies a text file to be displayed to the user during login and when the user issues the cdcommand:

message { { ...}}

The optional whenclause can be LOGINor CWD=(dir), where diris the name of a directory that is current. The optional classparameter enables messages to be shown to only a given class or classes of users.