If you want to setup a secure anonymous ftp server then you might want to consider Proftpd.
ProFTPD grew out of the desire to have a secure and configurable FTP server, and out of a significant admiration of the Apache web server.
When the Project began, the most commonly used server was wu-ftpd. While wu-ftpd provides excellent performance and is generally a good product, it lacks numerous features found in newer Win32 FTP servers and has a poor security history. Many people, including the developers who work on ProFTPD, had spent a great deal of time fixing bugs and hacking features into wu-ftpd. Unfortunately, it quickly became clear that a complete redesign was necessary in order to implement the configurability and features desired.
In addition to wu-ftpd, there are a few of other FTP servers available which are designed to be light-weight and secure at the expense of configurability. For example, Troll FTP is an excellent FTP daemon which is considerably more secure and less resource-intensive than wu-ftpd. Unfortunately, while it is quite suitable for basic FTP services, it does not offer the feature set required for more sophisticated FTP sites.
ProFTPD is not a hack based on any other server, it's an independent source tree from the ground up. A number of well known and high traffic sites use ProFTPD. Proftpd
In this excerse we are going to setup a stand alone ftp daemon listening on port 21. It will allow anonymous read only access to the /ftp tree and also allow ftp logins from the local LAN. The clients on the local LAN will be allowed to read and write files and directories. The clients are going to be limited to the amount of total connects made, the amount of connects per client and the number of clients per ip address. The server is going to run with minimal privileges of the user "nobody" and full logging will be enabled. Finally, we are going to limit clients to specific connection timeouts and limit the command characters we will accept from all ftp clients.
####################################################### ### Calomel.org proftpd.conf BEGIN ####################################################### ServerName "YOUR_SERVER name" ServerType standalone AllowOverride off DefaultServer on ServerIdent off UseReverseDNS off IdentLookups off DisplayConnect /usr/local/etc/issue.ftp DisplayLogin /usr/local/etc/welcome.msg DisplayChdir /usr/local/etc/.message ScoreboardFile /var/run/proftpd.score ListOptions +R strict TimesGMT off AllowRetrieveRestart on ShowSymlinks off DenyFilter [^*/A-Za-z0-9_.-] # Lockdown connections and connection attemps. MaxClients 80 "Maximum of %m users are already connected." MaxInstances 80 MaxClientsPerUser 80 MaxHostsPerUser 80 MaxClientsPerHost 80 "Maximum of 80 clients per host allowed." MaxLoginAttempts 1 RequireValidShell no # Lockdown command send/recieve sizes and type. PassivePorts 49152 65534 SocketOptions rcvbuf 8192 SocketOptions sndbuf 8192 CommandBufferSize 512 # Limit login times and timeouts to drop dead clients. TimeoutLogin 60 TimeoutIdle 150 TimeoutNoTransfer 150 TimeoutStalled 150 # Log format and location TransferLog none ## Normal Mode LogFormat awstats "%t %h %u %m %f %s %b" ExtendedLog /var/log/xferlog read,write awstats ## Debug Mode for testing # LogFormat debug "%t %a %A %U %r %D %s %F %b %T" # ExtendedLog /var/log/xferlog all debug # No ftp user ever needs root RootLogin off # Port 21 and umask 022 Port 21 Umask 022 # Set the user and group that the server normally runs at. User nobody Group nobody # Setup fake properties if needed. DirFakeGroup On DirFakeUser On DirFakeMode 0400 # Limit ftp logins to the internal lan. <Limit LOGIN> Order allow,deny Allow from 10.10. Deny from all </Limit> <Global> # Limit CHMOD everywhere in the anonymous chroot <Limit SITE_CHMOD> DenyAll </Limit> <Limit EPSV EPRT PORT> DenyAll </Limit> </Global> # Normally, we want files to be over write able. <Directory /*> AllowOverwrite on </Directory> # A basic anonymous configuration, no upload directories. <Anonymous /ftp> # Allow logins if they are disabled above. <Limit LOGIN> AllowAll </Limit> User ftp Group ftp UserAlias anonymous ftp HideNoAccess on # Limit WRITE everywhere in the anonymous chroot <Limit WRITE> DenyAll </Limit> # Drop CHMOD permission <Limit SITE_CHMOD> DenyAll </Limit> </Anonymous> # ####################################################### ### Calomel.org proftpd.conf END #######################################################
Step 1: First you need to download the latest source code for proftpd. Make a directory to work in and change to that directory. We are going to use /tmp for the example. Goto the Proftpd home page and get the latest tar ball. Then untar it in /tmp and change to the directory proftpd un-tared into.
Step 2: You now need to build proftpd. We are going to build it without pam support to simplify the setup. This line will build the binaries and install them into the default path /usr/local/
./configure --disable-auth-pam && make && make install
Step 3: Now that proftpd is built and installed download the proftpd.conf file above and put it in /usr/local/etc/proftpd.conf.
The config file has a lot of options and there a few that will need your attention before you are ready to start the demon. Remember that entire books are written on Proftpd and we can not cover every option here. For the options we do not cover please take a look at the Proftpd project documentation.
ServerName is the name of the daemon sent to the clients. Proftpd is the normal string, but you can change that here.
DenyFilter is the list of characters we will accept. if a client sends a character not in this set the will recieve an error. Trust no one.
Lockdown connections and connection attemtps are are the timeouts in seconds we level against clients. if the client hits these limits they are disconnected.
Lockdown command send/recieve sizes and type is the section we list out the data connection ports and the send recieve buffer sizes. The defaults should be fine for any server.
The LogFormat directive comes in the "normal mode" and the "debug mode." When running the server in testing we suggest using the debug mode and you will see everything a client does. Remember you logs will get very large when debug is on, so use "normal mode" when you ftp server is ready to go live.
User and Group the server runs at is "nobody" for this example. This is the unprivileged user the server will run as.
Fake properties will obviscate the user, group and permisions of the file the clients will see. in the example we will be making the user ftp, the group ftp and the chmod 0400 for the directories. This will _NOT_ change the file system perms, just the what the ftp clients will see.
Limit ftp logins to the internal lan will keep anyone _not_ on the 10.10/16 network from being able to log in with any privileged user. All users will be able to log in with read only anonymous access though.
Global directives set rules for the entire server. We are going to DenyAll to any chmod commands. We are also going to DenyAll requests for EPSV (enhanced passive mode), EPRT (enhanced port mode), PORT (active ftp mode) access.
Directory is going to set the AllowOverwrite directive to on. This means that anyone on the local lan who authenticates a login with a privileged user can overwrite files if they have been given that permission.
Anonymous are the rule for all anonymous users. We are going to allow them to login under the name "ftp" or "anonymous". They will _not_ be able to write anything and they are restricted from chmod commands completly.
Now that proftpd is built and installed and the proftpd.conf is in place we can now start the daemon. The daemon will run as the user you selected in the conf file, "nobody" for this example, so make sure that user exists. When the ftp server starts it will listen on port 21 be default.
To start the daemon execute the following:
/usr/local/sbin/proftpd
To test the server use your favorite ftp client and point it to the machine you started the daemon on. Log in anonymously wit the user name "ftp" and the password "ftp@ftp.com". Once logged in you should be able to do a "ls -la" and see all of the files in the /ftp directory.
What is "server said: Forbidden command argument" ?The ftp client has sent a command to the server that is _not_ in the DenyFilter list. The DenyFilter is a list of characters the server will accept. Any other character is _not_ accepted and will recieve this error.
Why doesn't "ls -R" work? A recursive directory listing is a server intensive task and normally not allowed. If you really want to allow the ftp clients to do recursive listing then comment out the line "ListOptions +R strict" in the proftpd.conf file. We DO NOT recommend doing this as a single client can load your server by doing repeated "ls -R" requests.
Can a client resume / continue a incomplete download without starting over? Yes. Make sure the directive AllowRetrieveRestart is set to "on". This will allow for resumed downloads on the server side. Remember the client must also have the ability to resume downloads.
Can I hide a directory, but still allow access without a password?Yes, you can. By putting a period in front of the name of the directory it will not show up when the ftp user does a ls. If the user knows about it, they can change directory into that name by manually typing it out. Once in the hidden dir they can list out files using ls like normal.
Can I setup a message when the users connect?Yes you can. You need to put some text into the file you identified in the DisplayConnect directive. In the example we used the file /usr/local/etc/issue.ftp . In this file you could put something like the following and all users will see it when they connect.
###################################################################### #// \# #| Welcome Everyone! |# #\ //# ###################################################################### ...or how about ascii art? __ __ ___ ___ \ \ / / ___ | | __ ___ _ __ ___ | | \ \/\/ / / -_) | | / _| / _ \ | ' \ / -_) |_| \_/\_/ \___| _|_|_ \__|_ \___/ |_|_|_| \___| _(_)_