Example--How to Disallow FTP Server Access
root daemon bin sys adm lp uccp nuucp listen nobody noaccess nobody4 |
The previous example lists the typical entries in the ftpusers file. User names match entries in the /etc/passwd. The list generally includes the superuser root and other administrative and system application identities.
The root entry is included in the ftpusers file as a security measure. The default security policy is to disallow remote logins for root. The policy is also followed for the default value that is set as the CONSOLE entry in the /etc/default/loginfile. See login(1).
How to Restrict Access to the Default FTP Server
In addition to the controls mentioned previously, you can add explicit statements to the ftpaccess file to restrict access to the FTP server.
Become superuser.
Add the following entries to the ftpaccess file.
By default, all users are allowed access to the default (non-virtual) FTP server. To deny access for specific users (other than anonymous), add the following entry:
defaultserver deny username [username...]
defaultserver
Keyword that is used to identify the non-virtual server to which access can be denied or allowed
username
Login name of a user with restricted access to the defaultserver
To allow access for users who are not listed on the deny line, add the following line:
defaultserver allow username [username...]
To prevent access by anonymous users, add the entry:
defaultserver private
Example--Restricting Access to the Default FTP Server
defaultserver deny * defaultserver allow username |
The previous example states that the FTP server denies access to all users except anon users and those users who are listed on the allow line.
You can also use the ftphosts file to deny access to particular login accounts from various hosts. See ftphosts(4) for additional information.
Setting Up FTP Server Logins
To access an FTP server, you must first log in. The FTP server supports three types of user login accounts for real, guests, and anonymous users.
Real users have accounts that allow them to establish terminal sessions on systems that run the FTP server. Subject to directory and file access permissions, the entire disk structure is visible to real users.
Guest users also need accounts to log in to the FTP server. Each guest account is set up with a user name and password. Functioning login shells are not assigned to guests to prevent users from establishing terminal sessions. At login, the FTP server performs a chroot(2) operation to restrict a guest's view of the server's disk structure.
Note - Login shells for real and guest users must be listed in the /etc/shells file to allow access to the FTP server.
Anonymous users log in to the FTP server by using the either ftp or anonymous as a user name. By convention, anonymous users supply an email address when prompted for a password.
At login, the FTP server performs a chroot(2) operation that restricts the anonymous user's view of the server's disk structure. A single file area is shared by all anonymous users, unlike the separate areas that can be created for each guest user.
Real and guest users log in by using individual accounts with passwords that are known only to one person. Anonymous users log in to a well-known account that is potentially available to anyone. Most large-scale file distribution is created by using the anonymous account.
How to Set Up Real FTP Users
To enable access for real users to the FTP server, follow these instructions:
Verify that the user has an account that is set up with a user name and password that can be used to establish a terminal session.
For more information, see "Managing Use Accounts and Groups (Overview)" in the System Administration Guide, Volume 1.
Confirm that the real user is a member of a class in the ftpaccess file.
For information on the user classes that are defined in the ftpaccess file, see "How to Define FTP Server Classes".
Verify that the user's login shell is listed in the /etc/shells file.
How to Set Up Guest FTP Users
The ftpconfig script is used to copy all necessary system files to the home directory. When the guest user and the guest's home directory already exist, the ftpconfig script updates the area with the current system files.
For more information, see ftpconfig(1M)
Note - Unlike the user name (anonymous or ftp) that is set for anonymous users, user names for FTP guests are not fixed. Any name that would work as a real user name can be selected.
To enable access by a guest user to the FTP server, do the following:
Use the useradd script to create a guest user account with a login shell of /bin/true and a home directory of /root_dir/./home_dir.
For more information, see useradd(1M) and "Managing Use Accounts and Groups (Overview)" in the System Administration Guide, Volume 1.
Note - In this procedure, /home/guests/./guest1 is used as the home directory name for a user who is called guest1.
# /usr/sbin/useradd -m -c "Guest FTP" -d \ /home/guests/./guest1 -s /bin/true guest1
Assign a password to the guest account.
Add a guestuser entry to the ftpaccess file.
guestuser guest1
Note - You can also use the guestgroup capability in the ftpaccess file to specify guest users. The guest-root capability in ftpaccess eliminates the need for the /./ in the guest user's home directory path.
Confirm that the guest user is a member of a class in the ftpaccess file. See "How to Define FTP Server Classes" for further information.
Use the ftpconfig script to create the required files in the chroot area.
/usr/sbin/ftpconfig -d /home/guests
Confirm that /bin/true is listed in the /etc/shells file. See "How to Create the /etc/shells file".
Example--Setting Up a Guest FTP Server
In this example, the FTP area is set up in the /home/guests directory.
# /usr/sbin/ftpconfig -d /home/guests Updating directory /home/guests |
How to Set Up Anonymous FTP Users
The ftpconfig script creates the anonymous user account and populates the home directory with the required files.
For more information, see ftpconfig(1M).
To enable access by an anonymous user to the FTP server, follow these instructions:
Use the ftpconfig script to create the anonymous user account.
# /usr/sbin/ftpconfig anonymous-ftp-directory
Confirm that the anonymous user is assigned to a class in the ftpaccess file.
See "How to Define FTP Server Classes" for further information.