Linux Step By Steps

From: Jay Billingsley <mandj@iquest.net>

I've enclosed a SxS for an ftp daemon. There is currently one up by me on WU-Ftpd. I no longer use it, and don't recommend anyone else to either. After yet another security flaw disclosed in WU-FTPD, (WuFTPD "Providing remote root access since 1994") I went on a search for a more reliable alternative. I tried PROFTPD, but it has way too many features for me, and is also not seasoned enough to be trusted. (in my eyes, that is.)

Then, I found it. A Linux port of the OpenBSD ftp daemon.

Download rpm from:

http://www.eleves.ens.fr:8080/home/madore/programs/#prog_ftpd-BSD.

Install rpm.

Add the following line to /etc/inetd.conf:

ftp stream tcp nowait root /usr/sbin/tcpd /usr/sbin/ftpd-BSD -l -l -A

This starts the ftp daemon through inetd, using tcp wrappers, with the -l -l and -A options. These options define who can connect, and what type of logging is done.

check to be sure you have a file in /etc/pam.d called ftp. This file should include the following lines:

#%PAM-1.0


auth required /lib/security/pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
auth required /lib/security/pam_pwdb.so shadow nullok
auth required /lib/security/pam_shells.so
account required /lib/security/pam_pwdb.so
session required /lib/security/pam_pwdb.so


type "touch /etc/ftpwelcome"

Edit this file. The contents of this file are displayed to the user at connection, before login.

Note: If a file called .message exists in a directory, and a user changes into that directory, the contents of that file will be displayed.

type "touch /etc/ftpusers"


Add to this file all the names of people you DO NOT want to be able to ftp in. For instance:
root
anonymous

type "touch /etc/ftpchroot"


If you want anyone to be chroot'ed to their home directory, and not be able to move up higher than that, add their name to this file.

restart the computer, or send a HUP to inetd.

Test the daemon by logging in as users, attempting to log in as forbidden users, etc. Also check /var/log/messages to be certain advanced logging is taking place.


You're done.