Set the FTP server in FreeBSD6.0

Article Title: Set the FTP server in FreeBSD6.0. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.

Start the FTP server
There are two ways to start ftpd: standalone daemon and inetd. Inetd is a powerful "super server" in UNIX systems. It can be used to manage many system services, such as telnet, ssh, and ftp. Most system services are started using inetd. The advantage of using inetd is that you can manage various services in a unified manner and set service rules through it, such as whether to block certain IP sources. However, the disadvantage of using inetd is that when there is a connection requirement, the inetd daemon must execute the corresponding commands according to the online type, so the speed is relatively slow.

Another way to start FTP is to use standalone daemon, that is, to directly execute FTP daemon. when it receives a new online connection, it will fork () for processing, this method is faster and suitable for dedicated FTP servers.

Use inetd

We will first introduce how to use inetd to start the FTP server. First, edit/etc/inetd. conf to remove the # At the beginning of the ftp setting:

Ftp stream tcp nowait root/usr/libexec/ftpd-l
Ftp stream tcp6 nowait root/usr/libexec/ftpd-l
 

Next, run the following command to re-run inetd:

# Kill-1 'cat/var/run/inetd. Pi' now you can start using FreeBSD's FTP service.

Use independent Daemon

If you want to start FTP in an independent daemon mode, make sure that the FTP service is not started in inetd. conf. Next, add a file/usr/local/etc/rc. d/ftpd. sh as follows:

#! /Bin/sh
Ftpd_program = "/usr/libexec/ftpd"
Ftpd_flags = "-D-l"
Case $1 in
Start)
Echo "Starting FTPD"
$ Ftpd_program $ ftpd_flags
;;
Stop)
Echo "Stopping FTPD"
Killall ftpd
;;
Restart)
$0 stop
Sleep 1
$0 start
;;
Esac

After editing, We must convert the file to executable:

# Chmod 755/usr/local/etc/rc. d/ftpd. sh:

#/Usr/local/etc/rc. d/ftpd. sh start if you want to stop the FTPD service, run the following command:

#/Usr/local/etc/rc. d/ftpd. sh start edit Welcome Message

When we connect to an FTP platform, we can see two welcome messages: one is the message before login and the other is the message after login. The following message is used as an example:

# Ftp localhost
Trying: 1...
Connected to localhost.alexwang.com.
220-Welcome to My FTP Server.
220-
220-This is a welcome message
220-
220-Nice to see you.
220 vmware.alexwang.com FTP server (Version 6.00LS) ready.
Name (localhost: alex ):
331 Password required for alex.
Password:
230-This is the message of the day.
230-
230-It will be shown after user login.
230 User alex logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
Ftp>
The prefix 220-is the pre-Logon message, which we call as a welcome message. The Message starting with 230-is the log-on Message, which we call the Message of the day ). We can set these two types of messages on our own.

If you want to set a message before logon, add a file/etc/ftpwelcome and write your message to this file. The message content in the preceding example is as follows:

Welcome to My FTP Server.
This is a welcome message
Nice to see you.

You do not need to write 220-and other data. The FTP server will automatically add this code to you. The log-on message is stored in/etc/ftpmotd. You can edit this file for configuration.

Restrict accounts and online sources

We can restrict some accounts from using FTP to log on. When a user logs on to the FTP server, there are several rules that refuse to log on to this account:

If/var/run/nologin exists, all accounts cannot log in. This file can be used to temporarily stop the FTP service.
Users must have a password to log on. Users without a password cannot log on.
User names cannot appear in/etc/ftpusers.
User groups cannot appear in/etc/ftpusers.
The shell used by the user must be a valid shell. A valid shell is defined in/etc/shells.
Except for the anonymous mode, the user name cannot be ftp or anonymous. The anonymous mode is described in the next section.
/Etc/ftpusers defines users and groups that cannot use the FTP service. Let's take a look at the content of this file:

# $ FreeBSD: src/etc/ftpusers, v 1.13 16:47:08 maxim Exp $
#
# List of users disallowed any ftp access.
# Read by ftpd (8 ).
Root
Toor
Daemon
Operator
Bin
Tty
Kmem
Games
News
@ Guest
...

We can see that some users in this file are not allowed to log on to FTP. These users are all preset accounts of the system, and we can modify them to join other users.

In/etc/ftpusers, if the name starts with "@", it indicates the group name. For example, @ guest in the preceding file indicates that the Group guest cannot be used to log on to the system.

In addition to controlling user accounts, we can also control online sources in "inetd" mode. All services started by inetd in FreeBSD can restrict online sources by modifying/etc/hosts. allow to use TCP Wrappd. The default/etc/hosts. allow content is as follows:

# Provide a small amount of protection for ftpd
Ftpd: localhost: allow
Ftpd: .nice.guy.example.com: allow
Ftpd: .evil.cracker.example.com: deny
Ftpd: ALL: allow

If you want to restrict several IP addresses or domains from using FTP, you can use the following example:

# Provide a small amount of protection for ftpd
Ftpd: localhost: allow
Ftpd: 210.122.13.5: deny
Ftpd:. edevil. cracker: deny
Ftpd: ALL: allow

In the preceding example, we reject hosts of IP 210.122.13.5 and edevil. cracker domains from using FTP, and allow other sources to be set in the last line.

If you want to set that only some sources can use FTP, but reject most hosts, you can set:

# Provide a small amount of protection for ftpd
Ftpd: localhost: allow
Ftpd: 192.168.0.: allow
Ftpd: my.friend.com: allow
Ftpd: ALL: deny

We set that only the local host, 192.168.0.x, and my.friend.com can be used for FTP.

Modify the login directory path chroot

After a user logs on, the user enters his/her home directory by default. You can change the working path to any directory in the system. You can use the chroot function if you want the user to log on only to the Home Directory of the user, but not to access other system directories.

The so-called chroot is to change a directory to the root directory seen by the user. For example, you can change/home/alex to the root directory after the user alex logs in. When you use the "cd/" command, alex will still stay at/home/alex. If the command "pwd" is used to view the current path,/is displayed /. In this way, we can ensure that users do not run around and enter places that should not be accessed. This function is of great help to improve FTP security.

Setting chroot is simple. You only need to modify/etc/ftpchroot. The chroot setting is based on users and groups. The following are some examples:

Alex
@ Guest
John/var/ftp
@ Other/var/ftp

The first line in the above example is to set the root directory of the user alex after logging on to the system. @ Guest in the second line indicates that as long as the group is the user of guest, all of them use their home directory as the root directory. Lines 3 and 4 indicate that both user john and group other use/var/ftp as the root directory.

As long as we make good use of the chroot function, we can strengthen the protection of other directories in the system, so that users without rights can not enter the system directory. We recommend that you add all users to/etc/ftpchroot when enabling the FTP service.