This is the first in a series of documents I'm writing on utilizing EnGarde Secure Linux. In this document I show all of the necessary steps to enable the ftp daemon. Since it does not come enabled by default it is highly recommended that anybody running EnGarde Secure Linux read this.
Introduction ------------ This document provides the steps a user can perform to enable and configure the ftp daemon (ftpd) for EnGarde Secure Linux 1.0.1 (Finestra). It is assumed that the reader is familiar operating as the root user and knows how to use a text editor such as vi(1) or pico(1). The proper forum to ask questions is one of the "EnGarde Mailing Lists" (see "Resources" below). If you have a problem configuring the ftpd, please send an email to that list so one of the EnGarde developers can help. Procedure --------- Below are the steps you must perform to get the ftpd working. It is highly recommended that you follow all of these steps, in order, even though some of these steps are optional. Step 1: Access Control ----------------------- Before anybody can connect to the ftpd you must first give them access by editing the file '/etc/hosts.allow'. You must add a line "vsftpd:" followed by a list of IP addresses you wish to grant access to. Some examples: To allow access from localhost: vsftpd: 127.0.0.1 To allow access from everybody on the 192.168.1.0/24 subnet: vsftpd: 192.168.1. To allow access from two specific addresses: vsftpd: 192.168.1.100 192.168.5.53 To allow access to everybody: vsftpd: ALL Step 2: vsftpd Configuration ----------------------------- vsftpd has three configuration files: /etc/vsftpd.banned_emails -- List of anonymous email addresses to deny. /etc/vsftpd.chroot_list -- List of local users to chroot. /etc/vsftpd.conf -- General configuration options. To ban a certain anonymous email address such as "mozilla@", simply put it in this file. One address per line. To chroot a local user to their home directory, put their username in this file. One username per line. Please note this only matter is you: a) are allowing local users to login. b) have "chroot_local_user=NO" in /etc/vsftpd.conf The configuration options in the vsftpd.conf are commented quite good, so I will not go into much detail here. I will just note a few defauls: a) anonymous logins are enabled by default b) anonymous users are chrooted to '/home/ftpsecure' c) the daemon runs as the user 'ftpsecure' Step 3: Enable and Restart xinetd ---------------------------------- The first step is to make it so xinetd will be enabled "by default". This means xinetd will start up whenever the machine is restarted. To do this, execute the command: # chkconfig --add xinetd The next step is to start up xinetd right now. To do this, execute the command: # /etc/init.d/xinetd start The ftpd is now running as will accept connections from any of the addresses you defined in "Step 1". The ftpd will also start up whenever the machine is booted. Step 4: Populate the Tree -------------------------- As said in "Step 2", all anonymous users as chrooted to "/home/ftpsecure". This means they will not be able to access any files outside of that directory. You should put all the files you want anonymous ftp users to see in this directory. Although not necessary, it is recommended that you set up two files: /home/ftpsecure/etc/passwd /home/ftpsecure/etc/group When an anonymous user issues the command "ls", the ftpd will search these files to get the userid to username mappings. If you do not have these files the user will see something like this (note the '0's): ftp> ls -la 227 Passive mode engaged (127,0,0,1,30,4) 150 Here comes the directory listing. -rw-r--r-- 1 0 0 0 Apr 13 20:03 that -rw-r--r-- 1 0 0 0 Apr 13 20:03 this 226 Directory send OK. As a starting point, you can copy the system /etc/passwd to /home/ftpsecure/etc/passwd and the system /etc/group to /home/ftpsecure/etc/group. After this is done you should remove any users and groups that will not be used in /home/ftpsecure. For example, you will probably want to remove the users 'webd', 'halt', 'sync', etc. A sample /home/ftpsecure/etc/passwd would be: root::0:0:root:/root:/dev/null nobody:*:99:99:Nobody:/: rwm:x:501:502:Ryan W. Maple:/home/rwm:/dev/null ben:x:500:502:Ben Thomas:/home/ben:/dev/null dave:x:502:502:Dave Wreski:/home/dave:/dev/null nick:x:503:502:Nick DeClario:/home/nick:/dev/null pete:x:504:502:Pete O'Hara:/home/pete:/dev/null A sample /home/ftpsecure/etc/group would be: root::0:root nobody::99: gdftp::502:dave,nick,pete,ben,rwm Now when a user executes the command "ls", they will see something like this (note was was '0' is now 'root'): ftp> ls -la 227 Passive mode engaged (127,0,0,1,109,222) 150 Here comes the directory listing. drwxr-xr-x 2 root root 4096 Apr 13 20:07 etc -rw-r--r-- 1 root root 0 Apr 13 20:03 that -rw-r--r-- 1 root root 0 Apr 13 20:03 this 226 Directory send OK. Resources --------- EnGarde Mailing Lists: Guardian Digital Makes Email Safe For Business - Microsoft 365, Goo....
