Previous Page | Next Page

  1. Agustin's Linux Manual
  2. Networks & Servers
  3. About the Author
  4. Table of Contents
  5. IP Addresses Networks and Subnets
  6. Network Classes
  7. IP Address in Decimal Notation
  8. Sub-netting
  9. Designing Subnets
  10. Allocating Subnets
  11. Defining Host Addresses
  12. Variable Length Subnet Mask
  13. Routing Protocols
  14. Classless Internet Domain Routing
  15. Servers - Chapter 9
  16. Apache Web Server
  17. Configuring Apache
  18. Uploading Web Pages
  19. Apache Overview
  20. MIMEMagic
  21. DNS Servers
  22. Welcome to Webmin
  23. Creating the Master Domain
  24. Adding the Reverse Zone
  25. Querying the DNS server
  26. Adding Virtual Domain to DNS Server
  27. Reverse Zone for Virtual Zone
  28. Binding IP Address for Virtual Domain
  29. Virtual Web Hosting
  30. DNS Security Options
  31. FTP Server
  32. Securing the FTP Server
  33. Email Server
  34. Postfix Configuration
  35. Dealing with Identical Users
  36. Configuring Email Clients
  37. Configuring Outlook
  38. Samba Server
  39. Configuring SAMBA Server
  40. The smb.conf File
  41. smb.conf Analysis
  42. Adding Users to Samba

Securing the FTP Server

By default all users in the system can login authenticated by the system and placed automatically in their home directory. Each user can be jailed in its own home directory or a specified directory.
It is highly recommended to jail user accounts, especially when you are serving virtual hosting. The file responsible for the FTP server configuration is proftpd.conf and this is its content:

[root@server2 etc]# vi proftpd.conf 
# This is a basic ProFTPD configuration file (rename it to 
# 'proftpd.conf' for actual use.  It establishes a single server
# and a single anonymous login.  It assumes that you have a user/group
# "nobody" and "ftp" for normal operation and anon.

ServerName			"ProFTPD Default Installation"
ServerType			standalone
DefaultServer			on

# Allow FTP resuming.
# Remember to set to off if you have an incoming ftp for upload.

AllowStoreRestart		on

# Port 21 is the standard FTP port.

Port				21

# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.

Umask				022

# To prevent DoS attacks, set the maximum number of child processes
# to 30.  If you need to allow more than 30 concurrent connections
# at once, simply increase this value.  Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)

MaxInstances			30

# Set the user and group that the server normally runs at.

User				nobody
Group				nogroup

# Normally, we want files to be overwriteable.

<Directory /*>
  AllowOverwrite		on
</Directory>

# Needed for NIS.

PersistentPasswd		off

# Default root can be used to put users in a chroot environment.
# As an example if you have a user foo and you want to put foo in #/home/foo chroot environment you would do this:
# 
# DefaultRoot /home/foo foo

DefaultRoot /home/agustin/Documents agustin

Note. In the last line of this file, I just jailed my user account in my Documents folder.

If I change the last line to point to my web server's home directory I would do this, (I would replace):

DefaultRoot /home/agustin/Documents agustin

With:

DefaultRoot /var/www/html/ agustin

(Note: The directory html belongs to the host netcontrol.org)


For practice purposes, I now need to jail another user into /var/www/html/onetraining; the user jailed in this directory will be the system administrator for onetraining.net domain.

I would edit /etc/proftpd.conf and add the following line at the end:

DefaultRoot /var/www/html/onetraining admin2

Now if user (admin2) ftp's to onetraining.net he/she will be placed and jailed in /onetraining directory and will not be able to browse to an upper level. Note. Make sure that each user has the appropriate rights to the virtual hosting directory, even if they become the administrator, they may not need more than read, write and execute.

Restricting users and hosts

There will be certain users or certain hosts that you may prohibit from connecting to this server. You can edit this proftpd.conf file to set a limit to hosts or domains.

Open and insert the following information at any part of the script: 

<Limit LOGIN>
Order Allow,Deny
Allow 168.34.26.60, mydomain.com, anotherdomain.net, 
Deny from all
</Limit>

Another file that controls access at user level is /etc/ftpusers, this file contains all users that are not allowed to connect to this server.

[root@server2 etc]# vi ftpusers 
    root
    bin
    daemon
    adm
    lp
    sync
    shutdown
    halt
    mail
    news
    uucp
    operator
    games
    guest
    anonymous
    nobody
All users that you don't want to connect to this server via ftp should be included in this file.