Simple ftp server

We do not recommend setting plain ftp servers other then on internal network, behind a firewall, and invisible from the outside world. FTP is insecure in that the login information (the user name and password) travels in plain-text through the network and can be intercepted on an in-between server. Now, imagine a malicious individual administering the server on your internet provider. He probably has a nice tool scanning all the passing-through traffic for the strings which normally accompany login activities. He automatically logs those and after some time has an impressive collection of user IDs and passwords to all kinds of places. Lets hope your important login information does NOT fall into his possession. (Well, this administrator can also read your telnet connection and traffic, and any other un-encrypted communication, including emails, icq traffic, etc. Ftp is not alone in its lack of security).

There are telnet and ftp replacements that use encryption for sending all the data over the network and I use ssh whenever possible when talking through the public Internet. The encryption tools are also built into your web browser (e.g., Mozilla) and it is important to pay attention that your sensitive data (login info, credit card billing, etc) is send only to locations that support secure, encrypted connections.

With older my RedHat Linux distribution (RH<7.1), setting up an ftp server could not be simpler--it just worked out-of-box. This is because the ftp service was enabled on default as one of the standard services (as is telnet and gopher), in the file /etc/inetd.conf. Here is the relevant part of my /etc/inted.conf:

ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd -l -a

telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd

gopher stream tcp nowait root /usr/sbin/tcpd gn

The second part of my ftp server setup is in the file /etc/passwd which defines the ftp account:

ftp:*:14:50:FTP User:/home/ftp:

The ":" is a field separator. The first field is the account (user) name "ftp", the "*" in the second field indicates that the password is disabled (nobody can login under the "ftp" user name), the user id is 14, group id is 50, "FTP User" is a comment, the home directory is /home/ftp, the last field is empty (for "normal" user accounts, it specifies the name of the shell for the user).

Because this setup was already done for me by RedHat, anybody can ftp my computer and either login as a user (will be prompted for password and directed to his/her home directory), or login as "anonymous" and give his/her e-mail address as a password. Any user can also enter something like this on the Netscape "location" line:

ftp://my_computer_name

and connect automatically (Netscape will take care of sending the "anonymous" user name and the e-mail address as password).

The "anonymous" ftp users are directed to the directory /home/ftp , which appears to be a root directory to them (they cannot access any directory above it). I put the files I want to serve in the subdirectory /home/ftp/pub .

The directory /home/ftp/bin contains the commands that the remote users are able to execute. On my system these are: compress, cpio, gzip, ls, sh, tar, zcat; all with execute-only (111) permissions.

The directory /home/ftp/etc contains the setup files necessary for the anonymous account to function (edited passwd, group, ld.so.cache). The directory /home/ftp/lib contains the libraries (I guess these libraries are used by the commands that the anonymous ftp users are allowed to run).

Red Hat 7.1 uses xinetd in place of the older inetd, and most of the network services are disabled on default. If you cannot telnet to yourself or another network service you need is disabled, you may want to inspect the files in the directory /etc/xinetd.d, and edit the file with the name of the service, so that it contains: disable = no . This is for for security reasons--you have to choose the services you need and enable just those. Don't enable ftp unless you require it--ftp used to have quite a few security glitches in the past. If you enable network services, make sure you conservatively setup the files /etc/hosts.allow and /etc/host.deny for security.

Example file /etc/xinetd.d/tpfp showing the service disabled:

service tftp

{

disable = yes

socket_type = dgram

protocol = udp

wait = yes

user = root

server = /usr/sbin/in.tftpd

server_args = -s /tftpboot

}

If you don't have this file, do cat to see what services you installed. The daemon for most services will start automatically on system startup if this startup is enabled using command setup (as root).