| Author |
Setting up FTP server
|
|
| alany 2002-11-28, 11:42 am |
| Hello all Linux guru... i'm setting up an ftp server in RH 8.0. Have a little problem with modifying the ftpaccess file to allow anonymous "upload".
Here I added a line in ftpaccess:
upload /var/ftp /testdir yes root root 0400 nodirs.
I created testdir in /var/ftp. chmod 3773 /var/ftp/testdir.
what's wrong with what this. why doesn't it work?
I'm just trying to allow anonymous upload. After this is successful, I will further set up individual user upload and disallow anonymous.
Please advise. Thanks! | |
| alany 2002-11-28, 12:00 pm |
| then I restart the daemon:
#/etc/rc.d/init.d/xinetd restart
I also use:
#ftpshut now
#ftprestart
I guess both should be appropriate. | |
|
| I believe has to do with chmod, try chmod 777 and if that works go whit something more secure after. | |
| Boulware5 2002-11-28, 6:00 pm |
| Is that wu.ftpd you are using? I have heard that (I believe it is this one, not 100% sure) that wu.ftpd is very insecure. Something to keep in mind; might want to use another. | |
| alany 2002-11-28, 11:26 pm |
| Thank you both for your feedbacks. I was able to get my ftp server to work... now i'm trying to control access to my ftp server. It's kinda fun....
for example, user named Mike is able to ftp into my server, but has restricted access to his home directory only (i.e. /home/mike/pub)
I did this by modifying the /etc/passwd file:
mike:x:500:500:guest acct:/home/mike/./pub:/etc/ftponly
so if mike tries to access /home/jennifer/, he won't be able to (which is what I want).
But if he cd back further, he can access all my other directories on the server. (i.e. /usr/local, /etc, /var, etc.....).
How can I restrict so that he has access to his /home/mike directory only.
Please advise. Thanks so much.
(p.s. I'm using wu-ftpd for this. I know it is insecure, but i'm required to set it up for now. As always, i prefer ssh or scp over anything, but i really need to know how to set up a true ftp server. Ultimately, I like to secure the ftp server as much as possible.
Thanks again. | |
| alany 2002-11-29, 12:35 am |
| I found out the solutions to my security questions... quite easily.
1. change the user shell to /bin/false in /etc/passwd
2. or add restricted-uid * in /etc/ftpaccess file.
problems solved. | |
| Mr. Linux Guy 2002-11-29, 5:27 am |
| quote:
Originally posted by alany
I found out the solutions to my security questions... quite easily.
1. change the user shell to /bin/false in /etc/passwd
2. or add restricted-uid * in /etc/ftpaccess file.
problems solved.
A little hacking goes a long way.  Glad you shared your solutions with the rest of us. | |
|
| for all that matters... here's how to install an ftp server on RH 8. I wish this was available when I started, but research really forces learning... anyway here's the ftp server bible:
1. install wu-ftpd, xinetd, anonftp (if you want anonymous ftp installed... for security don't do it, just know how to do it and then disable it if you will)
2. edit your /etc/xinetd.d/wu-ftpd file by changing disable=yes to disable=no
3. modify your ftpaccess file. for example to allow upload add this to ftpaccess file:
upload /var/ftp /incoming yes root ftp 0600 nodirs
(this means allowing upload to directory /home/mike/incoming... obviously you have to do a "mkdir incoming" in /home/ftp dir)
(p.s. make sure that you do "chmod 666 or 600" for /home/mike dir)
4. add a user to ftpaccess:
in my example, i use mike so here's what i added:
guestuser mike
make sure mike is in your server for all newbies... do "useradd mike" then "passwd mike" and create password
4. restart the ftp daemon by using one of the following methods:
#xinetd (easiest)
or
#/etc/rc.d/init.d/xinetd restart
or
#ftpshut now
#ftprestart
5. from a client machine (say Windows), test it:
>ftp 192.168.2.10 (your ftp server's address)
you should know to do "put" (upload) or "get" (retrieve), if now read some stuff on ftp
6. this should work... after you get over the hump, try playing around with ftpaccess and passwd files to restrict access as I have referenced above)
7. there's actually a lot more stuff you can do such as allowing user retrieval, overwrite, delete, etc. all of this is in your ftpaccess permission file.
8. to deny certain user access, use edit your ftpusers file (/etc/ftpusers)
9. monitor, monitor your ftp server by checking /var/log/messages and /var/log/xferlog (for file transfer log)
10. at the end of the day, unlearn every thing you've learned today and look into setting ssh and scp to ensure proper security of file transfers... unfortunately hackers out there hated me for saying this because they just love people using ftp :-)
my 2 cents. | |
| Mr. Linux Guy 2002-11-29, 11:05 am |
| Great HOWTO! | |
|
| Hey guys & girls,
i'm having a problem running telnet... will any linux expert please stand up... and help me
i'm getting this error when executing a telnet session:
#telnet localhost
Trying 127.0.0.1...
telnet: connect to address 127.0.0.1: Connection refused
# | |
| Mr. Linux Guy 2002-11-29, 4:53 pm |
| Let's rid ourselves of the obvious first: do you have "telnetd" running? If a server process that is specifically designed to respond to your client requests is not running, you won't get a response. Might want to check
$ ps -aux | less
output to see if this is the case or not. | |
|
| pardon my shortcoming... telnetd is not running so I'm troubleshooting it now... how do you execute the daemon? i think is /usr/sbin/in.telnetd right? i executed and got an error message:
/usr/sbin/in.telnetd: getpeername: Socket operation on non-socket. | |
| Mr. Linux Guy 2002-11-29, 7:13 pm |
| OK, that's your prob. Anytime you request a service from a server, the service you request has to be running on the server machine. Normally, you will find a number of startup scripts in /etc/rc?.d or something like that (the exact directory may vary with the distro you are running). The normal way to start a server is to find ther server, then start it up like so:
/etc/init.d/telnetd start
The exact dir may vary, but the dirctory with the startup scripts is the one that you are looking for. The script will usually take any one iof three arguments: "start", "stop" or "rstart". The first will get you going. Usually there are directories in Linux like ;
/etc/rc?.d
or something of the sort, where the '?' is any runlevel from 0 to 6. The daemons in these directories are started automatically upon startup. A link may need to be placed in the right directory for this to ocur on bootup.
If there are any questuions, please feel free to ask. | |
|
| I don't have /etc/rc.d/init.d/telnetd on my computer. telnet package is installed but i could not find telnetd. | |
| Mr. Linux Guy 2002-11-30, 6:20 am |
| The directory should be something like /etc/init.d -- I think that is the place that that startup scripts are housed in Red Hat. Then there are /etc/rc1.d, /etc/rc2.d, etc. that have links to the scripts in /etc/init.d to determine what daemons are started up and stop upon entering each run level. I think the script should be in /etc/init.d. If you cannot find the script, you can always use the find command:
$ find /etc -name "telnetd" 2>/dev/null
and it should spit out the right directory for you. Try this and see if it helps.
If you want to do this via GUI, I think most modern Linux distros have something like a "Service Configuration editor". If this doesn't get you where you need to be, let me know. | |
| alany 2002-11-30, 10:22 am |
| Actually, it was just as simple as changing the telnet file in xinetd directory from disable=yes to disable=no, just like ftp. restart xinetd and telnet daemon rocks.
problem solved. thanks Mr. Linux! | |
| Mr. Linux Guy 2002-11-30, 10:41 am |
| That would have been my nect step. Failing that, I would have checked the iptabels firewall rules. But you solved your own problem . . . welcome to the club, dude! That is what Linux is all about. | |
| alany 2002-11-30, 10:59 am |
| not done yet... i need to allow permission to log in using Telnet. currently the user receives the prompt to enter login name (before the prompt didn't pop up), but now user cannot log in cuz no permission is allowed unless i give them. the search continues. | |
|
| another simple solution that alluded me... i tested telnet with the users that I created for ftp access, which were all restricted to have access only within their home directory (i.e. /bin/false or ftponly as noted above) and none of the users could login to my telnet server. The solution was to change the user shell to bin/bash (/etc/passwd) and every thing worked.
My next step is to build ssh server. Any feedback is appreciated. I've used ssh as a client many times, but never build the server. The challenge continues... | |
| Mr. Linux Guy 2002-12-01, 6:18 am |
| It's basically the same thing, but I think that ssh runs on its own and not as a subservice of xinetd. Actually, setting up the telnet server was probably harder than setting up sshd will be. If something doesn't work right, just check your config files in /etc/ssh and then make any changes necessary. For them to take effect, stop the servcie, then start it up again.
Once you are done setting up your basic services, you may want to look into using iptables to only allow incoming requests for services that you have running as a security measure. | |
| alany 2002-12-02, 10:12 am |
| Do you have to modify any files in /etc/ssh to make it work?
I appreciate the feedback.
Thanks, | |
| Mr. Linux Guy 2002-12-02, 10:20 am |
| No, the default rules should work, but take a look at the files just so you can see what is in them. I usually just disable root logins via ssh, but that is usually the only customisation that I do. Once it is installed, just set it up to be started up as a service upon bootup, and you should be ready for rolling. If it doesn't work, let me know. | |
|
| I was not able to get ssh to work... I tried using putty to access (from windows) and ssh from another linux computer, but i couldn't get it to connect, let alone authenticate. sshd is running... "/etc/rc.d/init.d/sshd start". did you modify any file in /etc/ssh/* dir.
i was able to use the same system to ssh to remote ISP server (Interland or Verio).
My goal is to build an ssh server.
I appreciate your insights.
Thanks | |
| Mr. Linux Guy 2002-12-04, 6:39 am |
| Nope, I don't think so. Several things might be the problem. First off, check to see if the sshd daemon is running. (Please note the difference between the ssh service (client) and the sshd service (server)). If it is, that is not the prob. Next issue some commands like this:
# grep 'ssh' /var/log/messages > ~/ssh.msg
# grep 'ssh' /var/log/secure > ~/ssh.sec
Then browse through these files looking at potential reasons why the connexion was refused. Usually if you attempt to access a service and your request is denied, the refusal reason will be dumped to /var/log/secure. This may give you a tip on what is going on. Also try flushing your iptables sshd firewall rules by issuing
# iptables -F
Actually, this should flush all of your rules. Then stop the sshd service, then restart it. If it turns out you can connect, then issue:
# service iptables save
This will write out your current firewall rules (none). Then after this is done, reset your firewall chains one by one until you block all the ports that you do not want to accept requests from, and then resave it.
If this doesn't work, then we can try looking at your configuration file. | |
|
| i was out of town last week so I didn't get a chance to follow up sooner.
I've followed some of the commands you provided and got something but not sure why it's still not working...
here's the output for /var/log/secure
Received signal 15; terminating
Server listening on 0.0.0.0 port 22
Could not reverse map address 192.168.1.5
Accepted password for alan from 192.168.1.5 port 1705
I disabled the firewall feature in RH 8.0 so i don't think it's port blocking issue, but not sure... i'll start looking into and learning IPTABLES commands and see if i could use them to solve my problem.
thanks | |
|
| yike... i've discovered something... i've set up a bunch of test users (i.e. alan, mike, jenn) so obviously directory such as /home/alan was created... do I need to add permission for alan to receive ssh connection? I know ftp you need to add guestuser alan in /etc/ftpaccess file for alan to be permitted to use ftp. Does SSH have something similar to ftpaccess file??? | |
| Mr. Linux Guy 2002-12-08, 7:45 am |
| quote:
Originally posted by alany
yike... i've discovered something... i've set up a bunch of test users (i.e. alan, mike, jenn) so obviously directory such as /home/alan was created... do I need to add permission for alan to receive ssh connection? I know ftp you need to add guestuser alan in /etc/ftpaccess file for alan to be permitted to use ftp. Does SSH have something similar to ftpaccess file???
No, I don't think so. There is no anonymous SSH as far as I know of. All of the users that have accoutns on the box in question are generally allowed to login via ssh, although you can disable the root logins if you wish. Like I said above, it is a good bit simpler than setting up ftp. | |
|
| ok. i've figured it out... i was alluded to the ftp problem. i restricted ftp access by modifying the /etc/passwd file. if i changed user shell back to /bin/bash, it worked... user was able to connect via ssh. although now i'm looking into restricting ssh access to specific directories so user can only navigate within his home directory just like ftp. does anyone know how to do this? i think you can this by modifying the ssh_config file, but not too sure. | |
| Mr. Linux Guy 2002-12-10, 11:51 am |
| quote:
Originally posted by alany
ok. i've figured it out... i was alluded to the ftp problem. i restricted ftp access by modifying the /etc/passwd file. if i changed user shell back to /bin/bash, it worked... user was able to connect via ssh. although now i'm looking into restricting ssh access to specific directories so user can only navigate within his home directory just like ftp. does anyone know how to do this? i think you can this by modifying the ssh_config file, but not too sure.
Hmmm, I'll look into it, but have never tried this. With FTP you could do chroot, but not sure about ssh. I will research this and post whatever I find out. | |
| ccieToBe 2002-12-10, 12:46 pm |
| Yeah, you do this via chroot. I've never done this before, but am planning to in the very near future (to give users chrooted access to a web server). man chroot should get you started. The one major downside is that you have to include any utilities that the user needs access to (bash, perl...) in the user's chrooted directory structure. |
|
|
|