Top

A Linux User Reference

Search tips
  • search ignores words that are less than 4 characters in length
  • searches are case insensitve
  • if a search does not return anything try it in Boolean mode then Query expansion mode by checking the appropriate radio button e.g. searching for 'cron' in just the Administration category returns nothing - presumably because the 50% threshold is reached. Boolean mode ignores this threshold so a search for 'cron' returns several hits
  • in Boolean mode preceding a word with a '+' means the result must include that word, a '-' means it must not
  • in Boolean mode '+crontab -anacron' means match articles about crontab that DO NOT mention anacron
  • to match a phrase e.g. 'manage system' check the Boolean mode radio button and enclose the phrase in quotes "some phrase ..."
  • in Query expansion mode the search context is expanded beyond the keywords you entered - relevancy of hits may well be degraded

SECURITY

FTP

  • vsftpd

    Very Secure FTP Daemon. "Probably the most secure and fastest FTP server for UNIX-like systems."

    vsftpd configuration file - /etc/vsftpd/vsftpd.conf

    # Local user access
    local_enable=YESNO                               # Local users can login, Shell in /etc/shells, 
                                                     # 'nologin' and anonymous
    write_enable=YES                                 # Allow any form of FTP write, local users can
                                                     # upload and create dirs.
    
    # Anonymous user actions
    anonymous_enable=YES                             # Allow anonymous users
    write_enable=YES                                 # Needs to be set to YES
    anon_upload_enable=YES                           # Can upload files, directories must be writeable
                                                     # for 'ftp' user
    anon_mkdir_writable=YES                          # Can create directories,  directories must be 
                                                     # writable for 'ftp' user
    anon_world_readable_only=YES                     # Can read world readable files
    
    # File ownership
    chown_uploads=YES                                # Uploaded file ownership can be changed
    chown_username=<whoever>                         # ownership of uploaded files to change to
    
    # Chrooting
    chroot_local_users=YES                           # Chroot local users as well
    chroot_list_enable=YES                           # If chroot_local_users=YES, this becomes a list 
                                                     # of users NOT to chroot
    chroot_list_file=/etc/vstfpd/vsftpd.chroot.list
    
    # Guests
    guest_enable=YES                                 # Non-anonymous logins are mapped to guest account
                                                     # supplied next
    guest_username=<user>                            # Default is 'ftp'
    
    # User access
    userlist_deny=YES                                # Only users listed in the userlist_file will be
                                                     # allowed access
    userlist_enable=YES                              # Any user listed in the userlist_ file will be 
                                                     # denied access
    userlist_file=/etc/vsftpd/vsftpd.user_list
    
    # pasv_enable=                                   # Should the server use the "passive FTP" style in 
                                                     # which clients initiate ports (helps with firewalls
                                                     # on clients).
    
    # tcp_wrappers=                                  # If enabled incoming connections will be fed
                                                     # through access control (hosts.allow,/hosts.deny).
    
    # SSL
    ssl_enable=YES                                   # Enables ssl
    
  • vsftp
    displaying a message
    .message file

    This file displays it's content when a user 'cd's (during an ftp session) to the directory containing it.

    # echo "Interesting stuff here" > /<adir>/.message
    
    .....
    ftp> cd /<adir>                                
    250 - Interesting stuff here
    

    Where <adir> is a directory accessible by a user during a ftp session.

    motd (message of the day) file

    Present anonymous user with a 'welcome' message on successful login (message of the day)

    # cp /etc/motd /home/ftp/etc
    # vi /home/ftp/etc/motd
    

    Put message in 'motd' file.

  • vsftpd access control files
    Control login access - /etc/nologin

    If file exists ALL logins are prevented, contents of the file are displayed.

    Control user ftp access - /etc/ftpusers

    Users listed in this file are not allowed ftp access.

    Treat user as "anonymous" - /etc/ftpchroot

    Users listed in this file are treated the same as the "anonymous" or "ftp" user, they're chroot'ed to their home directories.

  • Chrooted vsftpd
    • Users do not need a password.
    • Two special login names to facilitate this, "anonymous" and "ftp", both refer to the same account 'ftp'.

    Create user, home directory, directory tree, set permissions and ownership

    # adduser ftp                              (Create user and /home/ftp)
    # chown root.root /home/ftp                (Make it owned by root)
    # chmod 555 /home/ftp                      (Set it unwriteable by anyone, allow subdirs)
    # cd /home/ftp
    # mkdir bin etc lib pub                    (Create needed sub directories)
    # chmod 511 bin etc lib                    (Set it unwritable by anyone)
    # chmod 555 pub                            (Set it unwritable by anyone, allow subdirs)
    # mkdir pub/incoming                       (Upload directory)
    

    Copy required libraries and commands to the soon to be chrooted environment

    # cd /home/ftp
    # cp /bin/ls /home/ftp/bin/
    # chmod 111 /home/ftp/bin/ls                             (Make executable only)
    # ldd /bin/ls                                            (Determine which libraries/modules 'ls' needs)
        librt.so.1 => /lib/librt.so.1 (0x4001e000)
        libc.so.6 => /lib/libc.so.6 (0x40030000)
        libpthread.so.0 => /lib/libpthread.so.0 (0x40153000)
        /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
    
    # cp /lib/librt.so.1 /home/ftp/lib/
    # cp /lib/libc.so.6 /home/ftp/lib/
    # cp /lib/libpthread.so.0 /home/ftp/lib/
    # cp /lib/ld-linux.so.2 /home/ftp/lib/
    # chmod 555 /home/ftp/lib/*                              (Make readable and executable)
    # chown root.root /home/ftp/lib/*                        (Make them all owned by root)
    
  • wu-ftpd

    Secure ftp server.

    • UIDs and GIDs (not names) displayed on login
    • If anonymous FTP users see UID, GID numbers instead of names it is because libnss_files.so library hasn't been installed.

    Three kinds of FTP logins

    anonymous

    Logs in with the username 'anonymous' and usually email address as password

    real

    Log in with a real username and password, level of access based on user privileges

    guest

    Logs in with a real username and password, but the user is chroot'ed to his home directory

    Guest users are constrained to their home directory. As a result they do not have access to some necessary commands e.g. '/bin/ls'. Therefore need to set up a local minimalist environment providing the necessary tools as you would for a chroot environment.

    wu-ftpd guest user configuratipn - /etc/wu-ftpd/ftpaccess

    A sample configuration for 'guest' user - /etc/wu-ftpd/ftpaccess

    # wu-ftp configuration file
    deny-uid %-99 %65534-                              # Don't allow system accounts to log in over ftp
    deny-gid %-99 %65534-
    class all   real,guest  *                          # Deny anonymous ftp logins
    #class all   real,guest,anonymous  *               # Allow anonymous ftp logins
    email webmaster@your-domain.com
    loginfails 5
    banner    /etc/wu-ftpd/welcome.msg                 # Welcome message for all ftp users
    
    # Welcome message and readme for Anonymous users   # <type> <filename> <when to display>
    message   /welcome.msg    login                    # /welcome.message = /home/ftp/welcome.message
    readme    README*         login
    
    # Directory specific messages and readme
    message   .message        cwd=*                    # .message = /$PWD/.message
    readme    README*         cwd=*
    compress    yes      all
    tar         yes      all
    chmod       no       guest,anonymous
    delete      no       anonymous                     # Anonymous cannot delete files
    overwrite   no       anonymous                     # Anonymous cannot overwrite files
    rename      no       anonymous                     # Anonymous cannot rename files
    delete      yes      guest                         # Guest can delete files
    overwrite   yes      guest                         # Guest can overwrite files
    rename      yes      guest                         # Guest can rename files
    umask       no       guest                         # Do not set the default umask for guest
    log transfers anonymous,real inbound,outbound      # What to log
    shutdown /etc/shutmsg
    passwd-check rfc822 warn
    
    # Control what can be uploaded.  File names may consist
    # of letters (a-z, A-Z), numbers (0-9), an under score
    # ("_"), dash ("-") or period (".") only.
    # The file name may not begin with a period or dash.
    # Message displayed (/etc/pathmsg) if file name is
    # invalid: "You have tried to upload a file with an inappropriate name"
    path-filter  guest /etc/pathmsg  ^[-A-Za-z0-9_\.]*$  ^\.  ^-
    limit all 2
    
    # Control what can be downloaded
    noretrieve passwd .htaccess core                   # Disallow users to download files of these names
    limit-time * 20
    byte-limit in 5000                                 # Limit file size
    guestuser *                                        # Set system user default as a "guest", 
                                                       # system.Guestuser is chrooted
    realgroup remote-supp                              # Assign real user privileges to members of 
                                                       # group "remote-supp"
    realuser mark                                      # Assign real user privileges to user id "mark"
    
  • wu-ftpd access control

    wu-ftpd does not care if the file /etc/nologin exists. The two files that control access are:

    /etc/wu-ftpd/ftpaccess

    Controls user access

    /etc/ftpusers

    Lists of users that may NOT log in via FTP

    Restrict specific users to their home directories - /etc/wu-ftpd/ftpaccess

    guestgroup <groupname> [<groupname> ...]
    guestuser <username> [<username> ...]
    

    Prevent host ftp connections - /etc/wu-ftpd/ftpaccess

    # Format: deny <addrglob> <message_file>
    
    # Deny access to all users from the exodous.net domain and display
    # the message contained in the /home/ftp/.message_ deny file.
    
    deny *.exodous.net /home/ftp/.message_deny
    
    # Comments:
    deny       - Always deny access to hosts that match a given address
    <addrglob> - A regex field that contains a list of addresses, either numeric or a DNS name.  
               - Can also be a filename - must be an absolute pathname i.e. starting with '/'.  
               - To ensure IP to domain name mapping use the !nameserver parameter
    

    Prevent specific users or groups from using ftp - /etc/ftpuser

    Two choices:

    • Add deny-uid and/or deny-gid lines to /etc/wu-ftpd/ftpaccess OR
    • Add username to /etc/ftpusers
  • wu-ftpd anonymous ftp user

    Done during the install process - sets

    user = ftp
    homedir = /home/ftp
    

    ftp user home directory structure

    /home/ftp
      bin/
      etc/
      lib/
      pub/
      welcome.msg
    
    /home/ftp/bin
      gzip
      ls
      tar
    
    /home/ftp/etc             (Copies of '/etc/group and /etc/passwd'  
      group                    with any password replaced with a '*')              
      passwd                  (Doing this will present user and group names      
      pathmsg                  to the 'ftp' user as opposed to UIDs and GIDs.)
    
    /home/ftp/lib
      ld-linux.so.2
      libc.so.6
      libpthread.so.0
      librt.so.1
    
    /home/ftp/pub
      incoming/
      test.bestand
    

    '/home/ftp/etc' contains copies of '/etc/group' and '/etc/passwd' with any password replaced with a '*'. This will present an 'ftp' user with user and group names instead of UIDs and GIDs.

    Additional precaution

    If users are allowed to upload data into an incoming directory, do not allow the creation of sub-directories in that directory.