Securing-Optimizing-RH-Linux-1_2_442
Comments and suggestions concerning this book should be mailed to gmourani@videotron.ca
© Copyright 1999-2000 Gerhard Mourani and Open Network Architecture ®
442
"/home/ftp/etc/group" file has entries for each of these allowed groups, each of which has just one
member. Its important that guest group appears one per line in the configuration file.
log security real,guest
This option log security specifies to enables logging of violations of security rules for real, guest
and/or anonymous FTP clients. In our example, we specifies to log violations for users using FTP
server to access real accounts, and for users using FTP server to access guest accounts
<real,guest>.
guest-root /home/ftp ftpadmin webmaster
restricted-uid ftpadmin webmaster
restricted-gid ftpadmin webmaster
These clauses guest-root, restricted-uid, restricted-gid specifies and control whether or not
guest users will be allowed access to areas on the FTP server outside their home directories
(this is a important security feature). In our example, we specified the chroot() path for users
<ftpadmin and webmaster> to be </home/ftp>, and they cannot access each other's files because
they are restricted to their home directories <restricted-uid ftpadmin webmaster>, <restricted-gid
ftpadmin webmaster>. Multiple UID ranges may be given on the line. If a guest-root is chosen for
the user, the user's home directory in the <root-dir>/etc/passwd file is used to determine the
initial directory and their home directory in the system-wide /etc/passwd is not used. This is a
security feature.
greeting terse
This option greeting specifies how much system information will be displayed before the remote
user logs in. There are three parameters you can chose: <full> is the default and shows the
hostname and daemon version of the server, <brief> whose shows only the hostname, and
<terse> will simply says "FTP server ready" in your terminal.
keepalive yes
This option keepalive specifies whether the system should send keep alive messages to the
remote FTP server. If set to yes then death of the connection or crash of remote machines will
be properly noticed.
Configuration of the /etc/ftphosts file
The /etc/ftphosts file is used to define whether users are allowed to log in from certain hosts or
whether there are denied access.
Step 1
Create the ftphosts file (touch /etc/ftphosts) and add for example in this file the following lines:
# Example host access file
#
# Everything after a '#' is treated as comment,
# empty lines are ignored
allow ftpadmin 208.164.186.1 208.164.186.2 208.164.186.4
deny ftpadmin 208.164.186.5
In the example bellow, we allow the user <ftpadmin> to connect via FTP from the explicitly listed
addresses <208.164.186.1 208.164.186.2 208.164.186.4>, and deny the specified <ftpadmin>
user to connect from the site <208.164.186.5>.
Step 2
Now, change its default permission to be 600:
[root@deep /]# chmod 600 /etc/ftphosts