After one spends a few years reading the different Linux mailing lists,
it becomes obvious that there are some requests for help that show up
every now and then. How to set up an anonymous FTP server is one of
these, for whatever reason. I\’d rather use scp myself,
since it provides far more security than the FTP protocol. For those
of you who may not know about scp, it\’s simply a command
or utility that is part of the ssh suite. It allows you
to copy files from system to system at the same time that the whole
connection is encrypted.

In any case, since there seems to be so much interest on how to set up
an anonymous FTP server I decided to write a few lines on the issue that
will hopefully make things easier. Be warned, this is not meant to be
a comprehensive article on FTP, but solely a short document explaining
how to set up and configure an anonymous FTP server. That\’s all.

What daemon to choose

So, for starters, which daemon should you choose? There are plenty to
choose from out there. You can check the corresponding sections in

Freshmeat or LinuxApps. The most popular ones seem to be anonftpd,
ProFTPD and wu-ftpd. However, since it would be a waste to cover all
those in this article I will only write about configuring wu-ftpd.
Granted that quite a few people complain about this particular daemon
not being as secured as other daemons (for whatever reason, ProFTPD is
usually held as the main competitor in this sense), but like it or not
it is the one that comes bundled with a few Linux distributions
(included the one that is, again like it or not, the most popular one,
Red Hat).

Other than that, I guess it doesn\’t really matter that much which one
you choose. I mean, performance wise there shouldn\’t be major
differences. Oh, by the way, even though I\’m afraid some people will
not like this other decision, the truth is that I wrote this article
as if you are installing on a Red Hat system. I don\’t really think
differences would be that big in the case of many other distros, but
be warned just in case.

Installing the packages

Now, in the case of Red Hat you need to install two packages that come
with the Red Hat CD or that you can find in any Red Hat mirror FTP
server:

  • anonftpd*.rpm: you need this one in order to enable
    anonymous download from your server.
  • wu-ftpd*.rpm: this other one contains the FTP server
    daemon that will allow you to transer files.

The installation is as simple as usual. Go ahead and, as root, enter
the following commands at the prompt:
rpm -Uvh anonftpd*.rpm
rpm -Uvh wu-ftpd*.rpm

Configuring the FTP server

Now, keep in mind that even though the following instructions may look
daunting at the beginning FTP is a pretty easy to maintain protocol.
Once it is up and running, you barely need to update anything although
you definitely need to keep an eye on the secure log files to make
sure everything is allright on the security front.

In any case, here is how the magic of anonymous FTP works. Instead of
allowing you total access to the system, it limits access to a given
directory. In other words, after you log into the system as the
anonymous user you only have access to the user ftp\’s home directory
and nothing else. If you enter cd /, which in most other
cases should take you to the system\’s root directory, it will only take
you to /home/ftp most likely (it\’s the default home
directory for the user ftp in my case).

How is this accomplished? Well, it\’s done via the chroot()
function call, which changes the root of ftpd to the user ftp\’s home
directory. By the way, you may also want to check the manual page for
the chroot command (man chroot) which also
happens to be available on your system as /usr/sbin/chroot.

So, let\’s go ahead and see the actual configuration files. These are
mainly ftpusers,ftpaccess and
ftpconversions, and should be located in the /etc
directory. You will find a default copy of these files in the
/usr/doc/wu-ftpd-*/examples directory on your system.

To start with, the ftpusers file contains a list of all
those users who are not allowed to log into your FTP server. As
you can imagine, user root should be listed here. You
should also make sure that other special user accounts such as
lp, shutdown, mail, etc.
are included here.

Then the ftpaccess file is used to configure issues such
as security, user definitions, etc. It\’s actually the general
configuration file. Some interesting settings that you can establish
here are:

  • loginfails [number]
    where number is a number that stands for the amount of times
    that a user is allowed to fail to authenticate before being totally
    disabled.
  • shutdown [filename]
    where filename is the name of a file that, if it exists,
    automatically shuts down the FTP server without a need to actually
    close the port in the /etc/inetd.conf file and then
    restarting inetd.

Finally, the ftpconversions file is used to allow the
clients special \”on-the-fly\” conversions of files. For example, the
file on the server side may be stored as a gzipped compressed file but
when the client requests the file to download it comes down the FTP
connection as the regular file type that it was originally saved as.
This is used to save space on the server, and it is a nice feature
included in wu-ftpd.

The final touch

Now we still have to copy a few binaries to the ~ftp
directory. Remember we made this a chrooted environment? How is any
user going to be able to run commands such as ls or
gzip if the regular path is not available anymore? Go
ahead and copy some of these files:

  • cd ~ftp/bin
  • cp /bin/ls .
  • cp /bin/gzip .
  • chmod 0111 *

You will also need to copy some libraries:

  • cd ~ftp/lib
  • cp /lib/libc.so.6 .

And to wrap up, let\’s take a look at the permissions on the directories
and files:

  • Execute only for ~ftp/bin and ~ftp/etc:
    chmod 0111 *
  • Read and execute for ~ftp/pub, ~ftp/usr
    and ~ftp/var:
    chmod 0555 *
  • Write and execute for ~ftp/incoming if you decide to
    create it so anonymous users can upload files too (the administrator
    would then have to move those files manually to the ~ftp/pub
    directory:
    chmod 0333 *

You can also control security access via the well known tcp_wrappers
utility by configuring the /etc/hosts.allow and
/etc/hosts.deny files. The last touch, of course, is to
uncomment the ftp line in the /etc/inetd.conf
file and restart the inetd daemon by running the
/etc/rc.d/init.d/inet restart command. Finally, if you
ever need to check the logs and see who is downloading or uploading what, log in as root and take a look at the /var/log/xferlog file.