System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

ftp version not to be disclosed

 
SOLVED
Go to solution
chindi
Respected Contributor

ftp version not to be disclosed

Hi ,

We had an audit where we were asked to change ftp server information which was geting displayed when we connected through ftp session.

 

For ex: ftp 10.xx.xx.xx

Connected to xx.xx.xx.
220 ra FTP server (Revision 1.1 Version wuftpd-2.6.1(PHNE_34698) Fri Nov 10 1
0:21:03 GMT 2006) ready.
User (10.xx.xx.xx:(none)):

 

We removed all of tis informaiton by adding ftpaccess in our DR setup.

Jst wanted to ask whether the same can be done at DC site also ?

What are any problems arising out of addition of ftpaccess directory to existing ftp setup ?

all clients can still access as they were used to earlier right ????

6 REPLIES
Matti_Kurkela
Honored Contributor

Re: ftp version not to be disclosed

As far as I know, a FTP client should not depend on parsing the text portion of the FTP server responses for any information that is critical to the session. Only the response code ("220" in your example) is intended to be machine-readable: the rest is information for humans only and can be modified freely.

 

The ftpaccess file can do many things: with the "greeting" keyword you can change the FTP server information displayed to the client, but with other keywords you can change many other things. Changing the server information should be safe, but changing some of the other things may restrict or completely block some or all your clients.

 

Your question cannot be answered with certainty without knowing exactly what keywords you've put in your ftpaccess file.

 

See the man page of the ftpaccess file, on your system or here:

http://wu-ftpd.therockgarden.ca/man/ftpaccess.html

MK
chindi
Respected Contributor

Re: ftp version not to be disclosed

Hi Matti ,

 

root #/home/te >cat /etc/ftpd/ftpaccess


class all real,guest,anonymous *

limit all 10 Any /etc/msgs/msg.dead

#readme README* login
#readme README* cwd=*

#message /welcome.msg login
#message .message cwd=*

compress yes all
tar yes all

#log commands real
log transfers anonymous,real inbound,outbound

shutdown /etc/shutmsg

email user@hostname
greeting terse

Matti_Kurkela
Honored Contributor

Re: ftp version not to be disclosed

Your "limit" keyword defines a maximum of 10 simultaneous FTP connections for all types of logins at all times.

Without the ftpaccess file, the FTP server would accept an unlimited number of simultaneous logins.

 

So if your DC site is currently handling more than 10 simultaneous FTP connections at times of highest load, the limit of 10 simultaneous connections might be too low and could cause some clients to be rejected.

 

Otherwise, I don't see any problems that might be caused by adding that ftpaccess file to your production setup.

MK
chindi
Respected Contributor

Re: ftp version not to be disclosed

Hi Matti ,

 

Am not sure about number of simultaneous ftp connections.

Can i just hash this parameter ?

Matti_Kurkela
Honored Contributor
Solution

Re: ftp version not to be disclosed

Yes you can.

 

If your production setup has run successfully without the ftpaccess file, it should be obvious that all the settings in the file are optional: you don't have to specify any of them if you don't want to change the defaults. The man page even describes what happens if no limit is set (= it will be unlimited), so there is no requirement like "if you define a class, you must also define a limit for it".

 

If you are uncertain about adding a short configuration file like the ftpaccess file to your production system, you should check the description of every keyword in the file from the documentation (= the man page, accessible either from the link in my previous post, or with "man ftpaccess" on your system). If you don't understand some configuration line, don't add it; add only what is needed to satisfy your requirements, and nothing more.

MK
chindi
Respected Contributor

Re: ftp version not to be disclosed

Thanks Matti  again :)