[svlug] chroot'ed ftp users

J C Lawrence claw at kanga.nu
Sat Dec 6 22:58:58 PST 2003

Previous message: [svlug] chroot'ed ftp users
Next message: [svlug] chroot'ed ftp users
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sat, 6 Dec 2003 20:04:17 -0800
Matt Billenstein <matt at vazor.com> wrote:

> Hi, I was successful in installing Debian and getting all the services
> I use configured for my router (ftp, samba for internal network,
> squid, firewall, ssh, adsl with Roaring Penguin PPPOE client, dhcp
> server, dnsmasq, dyndns client, custom kernel, etc).  After having
> used Redhat for this application for a long time, I'd have to say I
> like Debian better and it was easier overall to setup I think.

Spend some time with nmap: make sure you have only the services exposed
you really need on the outside.  I also recommend looking into shorewall
as it is rather nicely done.

> One question though, I have an ftp account I'd like to run chroot'ed
> so I add the username to /etc/ftpchroot but the problem is that when I
> login to the ftp server now, it acts like a blind ftp server.  I can't
> 'ls' the directory contents, but I can cd into directories and get
> files...  How do I change this?  I'm using the stable ftpd package.

Without answering the question directly, consider the muddleftpd
package.  An example config:

--<cut>--
[section] main
	ftpport 21
	maxusers 200
	logstrength 51
	logfile /var/log/anon-ftpd.log
	timeout 300
	logindump /etc/issue.ftp
	ipacl A:*
	pidfile /var/run/muddleftpd.pid
	email ftpmaster at domain
	group badusers
	group anonymous
	group localusers
	scratchfile /var/lock/muddleftpd.scratch
	hostname ftp.domain
[section] badusers
        nameacl A:root
        nameacl A:uucp
        nameacl A:news
        ipacl A:*
        authmethod disabled
        maxusers 0
[section] anonymous
        ipacl A:*
        nameacl A:anonymous
        nameacl A:ftp
        chroot 1
        authparams ftp
        authmethod anonymous
        chmoding 0
        welcome /var/ftp/welcome.msg
        cddump .message
        busydump /etc/msgs/msg.toomany
        umask 077
        access /:RLC
        access /pub/incoming/:ALC
[section] localusers
        ipacl A:*
        nameacl A:*
        chroot 1
        homedir /
        authmethod internal
        internal_passfile /etc/muddleftpd/muddleftpd.passwd
        access /:ALL
        fxpallow 1
--<cut>--

A very minor variant of this config is what is running on ftp.kanga.nu.

--
J C Lawrence
---------(*)                Satan, oscillate my metallic sonatas.
claw at kanga.nu               He lived as a devil, eh?
http://www.kanga.nu/~claw/  Evil is a name of a foeman, as I live.

Previous message: [svlug] chroot'ed ftp users
Next message: [svlug] chroot'ed ftp users
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the svlug mailing list