Basic network access: servers
Anonymous ftp gives you a couple of security options:
- It restricts access to the home directory of user ftp. From the point of view of the remote user, ftp's home directory is the root directory, and he cannot access any files outside this directory. Note that this means that you can't use symbolic links outside the ftp directory, either.
- It restricts access to the machine generally: the user doesn't learn any passwords, so he has no other access to the machine.
- In addition, you can start ftpd in such a manner that it will allow only anonymous ftp connections.
There are a number of preparations for anonymous ftp:
- Decide on a directory for storing anonymous ftp files. The location will depend on the amount of data you propose to store there. By default, it's /var/spool/ftp.
- Create a user ftp, with the anonymous ftp directory as the home directory and the shell /dev/null. Using /dev/null as the shell makes it impossible to log in as user ftp, but does not interfere with the use of anonymous ftp. ftp can be a member of group bin or you can create a new group ftp by adding the group to /etc/group. See page 145 for more details of adding users, and the man page group(5) for adding groups.
- Create subdirectories ~ftp/bin and ~/ftp/pub. It is also possible to create a directory for incoming data. By convention its name is ~ftp/incoming. This is a very bad idea if you're connected to the global Internet: it won't belong before people start using your system as a server for illicit data. Only use this option if you have some other method of stopping unauthorized access.
Set the ownership of the directories like this:
dr-xr-xr-x 2 ftp ftp 512 Feb 28 12:57 bin drwxrwxrwx 2 ftp ftp 512 Oct 7 05:55 incoming drwxrwxr-x 20 ftp ftp 512 Jun 3 14:03 pub
This enables read access to the pub directory and read-write access to the incoming subdirectory.
- If you have a lot of files that are accessed relatively in frequently, it's possible you will find people on the Net who copy all the files that they see in the directory. Sometimes you'll find multiple connections from one system copying all the files in parallel, which can cause bandwidth problems. In some cases, you might find it more appropriate to distribute the names individually, and to limit access to reading the directories. You can do this by setting the permissions of pub and its subdirectories like this:
d--x--x-- x 20 ftp ftp 512 Jun 314:03 pub
This allows access to the files, but not to the directory, so the remote user can't find the names of the files in the directory.
- Copy the following files to ~ftp/bin: /usr/bin/compress, /usr/bin/gzip, /usr/bin/gunzip,
/bin/ls, /usr/bin/tar and /usr/bin/uncompress. The view of anonymous ftp
users is restricted to the home directory, so all programs that are to be executed must also be in this directory.
You can ("hard") link the files if you want (and if the directory is on the same file system), but symbolic links will fail, since they contain path names that do not point to the correct place when running in the anonymous ftp environment.
Restricting access and logging
A number of ftpd options make it easier to control and monitor ftp access:
- The -l option logs each session, whether successful or not, to syslogd with the facility LOG_FTP. To enable this logging, your /etc/syslog.conf should contain a line like
ftp.* /var/log/ftpd
In addition, the file /var/log/ftpd must exist. If it doesn't, create it with:
# touch /var/log/ftpd
- The -l option has two levels: if you specify it once, it logs connections only. If you specify it twice, it also lists the files that are transferred.
- The -S option logs all anonymous transfers to the file /var/log/ftpd.
- You can restrict access to only anonymous ftp with the -A option.
There are a number of other options; see the man page ftpd(8) for further details.
In addition to these options, when a real user establishes a connection, ftpd checks the user's shell. If it is not listed in /etc/shells, ftpd will deny the connection. This can be useful if you don't want specific users to access the system: give them a different shell, such as /usr/bin/sh instead of /bin/sh, and ensure that /usr/bin/sh is not in /etc/shells.
Log file format
The format of the log files is a little unusual. You'll see things like:
Oct 12 16:32:04 freebie ftpd[8691]: ANONYMOUS FTP LOGIN FROM adam.adonai.net, leec@a donainet Oct 12 18:33:32 freebie ftpd[9007]: connection from gateway.smith.net.au Oct 12 18:33:37 freebie ftpd[9007]: ANONYMOUS FTP LOGIN FROM gateway.smith.net.au, m ike Oct 12 21:36:28 freebie ftpd[9369]: connection from grisu.bik-gmbh.de Oct 12 21:36:29 freebie ftpd[9369]: ANONYMOUS FTP LOGIN FROM grisu.bik-gmbh.de, harv est@ Oct 12 21:36:37 1997!harvest@!grisu.bik-gmbh.de!/pub/cfbsd/README!9228!1 Oct 12 21:37:05 freebie ftpd[9371]: connection from grisu.bik-gmbh.de Oct 12 21:37:06 freebie ftpd[9371]: ANONYMOUS FTP LOGIN FROM grisu.bik-gmbh.de, harv est@ Oct 13 09:38:19 freebie ftpd[13514]: connection from 151.197.101.46 Oct 13 09:38:21 freebie ftpd[13514]: ANONYMOUS FTP LOGIN FROM 151.197.101.46, bmc@ho vercraft.willscreek.com Oct 13 09:38:58 1997!bmc@hovercraft.willscreek.com!151.197.101.46!/pub/cfbsd/dear-re viewer!8890!1 Oct 13 09:41:42 1997!bmc@hovercraft.willscreek.com!151.197.101.46!/pub/cfbsd/txt/26-netdebug.txt.gz!12188!1 Oct 13 09:42:05 1997!bmc@hovercraft.willscreek.com!151.197.101.46!/pub/cfbsd/txt/C-p ackages.txt.gz!37951!1 Oct 13 09:59:07 freebie ftpd[14117]: connection from 151.197.101.46 Oct 13 09:59:08 freebie ftpd[14117]: ANONYMOUS FTP LOGIN FROM 151.197.101.46, bmc@ho vercraft.willscreek.com Oct 13 09:59:24 1997!bmc@hovercraft.willscreek.com!151.197.101.46!/pub/cfbsd/txt/D-b iblio.txt.gz!1815!1
This log excerpt shows three kinds of message:
- The messages starting with the text connection from occur when an ftp connection is made. They don't mean that any permission to access has been given. These messages are logged by the -l option.
- The ANONYMOUS FTP LOGIN messages show that somebody has logged in anonymously. The name follows, not always in the required username format. The standard ftpd does not enforce this requirement; you may find something that does in the Ports Collection. These messages are logged by the -S option.
- The lines full of ! marks show files being transferred. The ! marks delimit the fields, which are:
- The year, as an extension of the timestamp.
- The user ID.
- The IP address of the system to which the data is transferred.
- The name of the file transferred.
- The number of bytes transferred.
Running sshd
Normally you start sshd from the system configuration file /etc/rc.conf:
sshd_enable="YES" # Enable sshd
That's all you need to do for sshd. You can also start it simply with:
#sshd
sshd reads a configuration file /etc/ssh/sshd_config. Like its companion /etc/ssh/ssh_config, it contains mainly commented-out lines showing the default values. Most of them don't require change, but the following entries may be of interest:
- Protocol states which ssh protocols to use, and in which order. By default, sshd tries protocol 2 first, and falls back to protocol 1 if protocol 2 fails. You might consider setting it to use only protocol 2.
- When PermitRootLogin is set to yes, you can log in as root via ssh. Normally it's disabled.
- Set PasswordAuthentication to no if you want all access to be via key exchange (see page 420 for more details).
- If you want to run sftp-server, add the following line to /etc/ssh/sshd_config:
Subsystem sftp /usr/libexec/sftp-server
It should be present by default.