How to Anonymous ftp Server Configuration

We will use only anonymous ftp and will not allow any non-anonymous user any access. Here we describe the anonymous ftp server setup that allows anonymous uploads. Any self-respecting guide on the subject will tell you that “this is a bad thing”. But how is it worse than allowing users to FTP from untrusted location and transfer their passwords in clear text? Not everybody (especially, using Windows) can easily setup an FTP tunnel via ssh.

I suggest using the stock RH wu-ftpd (version 2.6.0 at the time of writing). While it is rumored that there are “more secure” FTP daemons (Pro-FTP?), wu-ftp appears to be one most commonly used.

RH installs the wu-ftpd (package wu-ftpd-2.6.0-1) by default in the server configuration. You are encouraged to check for updates as running FTP is an important security concern. There is also a separate rpm package that creates a separate directory for anonymous ftp home (anonftp-2.8-1). As anonymous ftp always does a chroot() system call (puts the user in the restricted file system) all necessary binaries and libraries are required. The typical directory looks like this (output of ls -lRa in /home/ftp):

incoming:
total of 0

pub:
total of 0

Notice though, that for whatever reason, RH puts a copy of /bin/sh in /home/ftp/bin. I do not feel good about having it there, so it is chmoded to 0 by chmod 0 sh (can also be removed completely)

Permissions on /home/ftp` directories and files should be carefully considered. In the above example, all of the system files are owned by root and are only readable (executable where necessary) by all. Files in the bin are only executable (as is the directory itself to prevent the listing of its contents).

The interesting part is permissions on the pub and incoming.

Below follows the configuration file for FTP daemon (/etc/ftpaccess). It is well commented to the degree of being self-explanatory:

#only allow anonymous users-no other classes defined
class anonftp anonymous *

#number of users restriction with the message shown when too many
limit remote 10  Any                 /toomany.msg

#prevent uploads everywhere (for now)
upload /home/ftp * no

#display the contents of some files upon login/cd
readme  README*    login
readme  README*    cwd=*
message /welcome.msg            login
message .message                cwd=*

#log all file transfers DISABLED
#log transfers anonymous

#prevent these file operations for anon users
delete          no      anonymous
overwrite       no      anonymous

#fast cd and aliasing for the same reason (not really necessary, but convenient)
alias   inc:    /incoming
cdpath  /incoming
cdpath  /pub
cdpath  /

#what is allowed in paths
path-filter  anonymous  /etc/pathmsg  ^[-A-Za-z0-9_.]*$  ^.  ^-

#prevent the retrieval of some file
noretrieve .notar

#allow upload with NO subdirectory creation by anon users
upload    /home/ftp    /incoming   yes root wheel 0400 nodirs

#allow upload with subdirectory creation by anon users DISABLED
#upload    /home/ftp    /incoming   yes root wheel 0400 dirs

#prevent anon users to GET files from incoming (you might not like it, but it
#is a good idea-to prevent some people from using your FTP server to store
#their own stuff, pics, warez, etc)
noretrieve /home/ftp/incoming

That would allow only anonymous users to do downloads and uploads in a somewhat (!) controlled manner.