---

---

Comments and suggestions concerning this book should be mailed to gmourani@videotron.ca © Copyright 1999-2000 Gerhard Mourani and Open Network Architecture ® 445 Here, you can see that one user is logged in, 20 users are allowed to connect, and this user has the username “ftpadmin” who claims to be win.openarch.com. ftpcount The ftpcount program utility, which is a simplified version of ftpwho, shows only the current number of users logged in to the system and the maximum number of users allowed. · To shows only the current number of users logged in to the system and the maximum number of users allowed, use the following command: [root@deep /]# ftpcount Service class openarch             -   1 users ( 20 maximum) Securing FTP The ftpusers file It’s important to ensure that you have set up a file “/etc/ftpusers” which specifies those users that are NOT allowed to connect to your FTP server. This should include, as a MINIMUM, the following entries: root, bin, daemon, adm, lp, sync, shutdown, halt, mail, news, uucp, operator, games, nobody and ALL default vendor supplied accounts available in your “/etc/passwd” file. The anonymous FTP program To disable anonymous FTP, remove the anonymous user “ftp” from your password file and verify that anonftp-version.i386.rpm package is not installed in your system. · To remove the user “ftp” from your password file, use the following command: [root@deep /]# userdel ftp · To verify if the RPM package of anonymous FTP program is not installed in your Linux system, use the following command: [root@deep /]# rpm -q anonftp package anonftp is not installed The upload command By default, the Wu-ftpd server will grant upload privileges to all users. The upload parameter allow remote clients to load and place files in the FTP server. For optimal security, we don't want users being able to upload into “bin”, “etc”, “dev”, and “lib”, subdirectories in the “/home/ftp” directory. In our “/etc/ftpaccess” file we  are already chroot'd users to “/home/ftp” and they cannot access any area of the filesystem outside that directory structure but in case something happens to the permissions on them, you should deny upload privileges in your “/etc/ftpaccess” file into these areas (/home/ftp/ /home/ftp/bin, /home/ftp/etc, /home/ftp/dev, and /home/ftp/lib). Edit the ftpaccess file (vi /etc/ftpaccess) and add the following lines to deny upload privileges into these areas. # We don't want users being able to upload into these areas. upload /home/ftp/* /    no upload /home/ftp/* /etc no upload /home/ftp/* /dev no upload /home/ftp/* /bin no (require only if you are not using the “--enable-ls” option) upload /home/ftp/* /lib no (require only if you are not using the “--enable-ls” option)