1828577 Members
2519 Online
109982 Solutions
New Discussion

Re: ftpusers file

 
SOLVED
Go to solution
joe Kowalczyk
Occasional Contributor

ftpusers file

The ftpusers file is supposed to contain the names of users NOT allowed to ftp into the system. If I create a ftpusers file today and tomorrow I forget to add a new user to the ftpusers file, that new user is allowed to ftp into my system. Is there a better way to limit who can ftp into my system? Preferred would be a system where I must explicitly enter only the users I want to allow into my system.
13 REPLIES 13
Ted Ellis_2
Honored Contributor

Re: ftpusers file

tcp_wrappers may be something worth some looking into... wraps around several basic services to harden security to it... ftp is one of them... take a look here... you can download the info and then work through the configuration. The installation info is good...

ftp://ftp.porcupine.org/pub/security/index.html

Ted
Ken Hubnik_2
Honored Contributor

Re: ftpusers file

You can usr the file /var/adm/inetd.sec. Under ftpallow put it by ip adress or workstation adddress. Only those listed will be able to ftp.
John Poff
Honored Contributor

Re: ftpusers file

Hi,

You could use the ftpaccess file and setup a class of users that are allowed to ftp into the system.

JP
OneNeck UNIXSA
Frequent Advisor

Re: ftpusers file

I agree on the use of ftpaccess file. I like to put a group named fullftp in the /etc/group file and add the users that need ftp into this group.
Gary Yu
Super Advisor

Re: ftpusers file

Hi John,

Can I create a class in ftpaccess file with real usernames like root or user1 other than the 3 keyword "real","guest,"anonymous" ? I tried that,but it seemed all ftp access was denied then.
John Poff
Honored Contributor

Re: ftpusers file

Gary,

No, you have to specify a group in the ftpaccess file and not specific users. The good part about doing it that way is that you can control access to users through the /etc/group file and you don't have to modify the ftpaccess file everytime you add or delete a user.

JP
Gary Yu
Super Advisor

Re: ftpusers file

Hi John, thanks for the instruction

To define the group, is it a command in ftpaccess file called "group" or just use "class" command?

this is the class defination in my file:
class local real,guest,anonymous *.domain 0.0.0.0
class remote real,guest,anonymous *

it only accept one of the keyword like "real","guest","anonymous", how can I add a group ...
John Poff
Honored Contributor
Solution

Re: ftpusers file

Gary,

In your example of the ftpaccess file:

class local real,guest,anonymous *.domain 0.0.0.0
class remote real,guest,anonymous *


You have defined two groups, 'local' and 'remote'. You can add entries in your /etc/group file for 'local' and 'remote' (just like any other group you would create there), and then associate user ids with either of those groups depending on the access you want to give. You have three choices for your type as you have noted. The 'real' type checks for the userid against /etc/passwd, so the user has to have an account on your system. The anonymous type will match users using anonymous ftp. The guest type acts like a mix of the previous two types. The guest user is validated against /etc/passwd for a valid user account, and then the user is chroot'd to a directory which you setup in the /etc/passwd home directory entry for that user. I setup a Linux ftp server using the ftpaccess method, and I'm using the guest type of accounts. It seems to work great.

Does that help? I know it seems a little strange at first, but once you get the hang of the ftpaccess layout it makes a little more sense. :)

JP
Gary Yu
Super Advisor

Re: ftpusers file

Thanks John, it's very helpful, I would assign points to you if I was the thread author :)

Gary
John Poff
Honored Contributor

Re: ftpusers file

Gary,

You're welcome. I'm glad I could help you. I'd much rather hear that I helped somebody solve a problem than to get a bunch of points! :)

JP
OneNeck UNIXSA
Frequent Advisor

Re: ftpusers file

Or you can make a group, lets say, ftpallow and assing userids allowed to ftp to it. Once this is done you can create a cron job with the following script, edit for your environment, this one is for NIS.

#!/sbin/sh
cp -p /etc/ftpd/ftpusers /etc/ftpd/ftpusers.old

/usr/bin/ypcat passwd | awk -F: '{ print $1 }' > /etc/ftpd/ftpusers

for user in $( /usr/bin/ypcat group | grep ftpallow /etc/group | awk -F: '{ print $4 }' | sed -e 's/,/ /g')
do
grep -v "^$user" /etc/ftpd/ftpusers > /etc/ftpd/ftpusers.new
cat /etc/ftpd/ftpusers.new > /etc/ftpd/ftpusers
rm /etc/ftpd/ftpusers.new
done
Hamdy Al-Sebaey
Regular Advisor

Re: ftpusers file

Joe,

For TCP-wrapper,it'll give you how is allowed to login to the sever, how is deny. I think it's not a good idea,you need only to allow & deny some users.
So the best way is the following both files ftaccess en ftpusers.

Regards,
Hamdy
Thanks for sharing knowledge
Centric Group 18
New Member

Re: ftpusers file

Have you looked at /etc/ftpd/ftphosts file?

#ftphosts
#action user hostmask
accept root *
accept ftpuser *
deny * *

I don't really know if the deny all is needed, but this worked for me.