FTP IN SOLARIS
What we are about to learn,
·
FTP files location, packages
& services
·
FTP user types
·
How to enable ftp for real user
·
How to enable ftp for guest
user
·
How to enable ftp for anonymous
user
·
How to check the logged in
users via ftp
·
How to restrict user’s access
for ftp
·
How to restrict hosts access
for ftp
·
How to restrict /
allow particular user from particular hostfor ftp
File Transfer Protocol (FTP)
Works on port 21
root@sol-test-1:>/# svcs -a |grep -i ftp
online
18:32:51 svc:/network/ftp:default
root@sol-test-1:>/# pkginfo -x |grep -i
ftp
SUNWftpr FTP Server, (Root)
SUNWftpu FTP Server, (Usr)
SUNWncftNcFTP - client application implementing FTP
SUNWtftp Trivial File Transfer
Server
SUNWtftpr Trivial File Transfer
Server (Root)
root@sol-test-1:>/# which ftp
/usr/bin/ftp
root@sol-test-1:>/# svcs -l ftp
fmri
svc:/network/ftp:default
name FTP
server
enabled true
state online
next_state none
state_time Sat
Dec 27 18:32:51 2014
restarter
svc:/network/inetd:default
root@sol-test-1:>/# ls -l /etc/ftpd/
total 14
-rw-r--r-- 1
root sys 1518 Jan 22 2005 ftpaccess
-rw-r--r-- 1
root sys 946 Jan 22 2005 ftpconversions
-rw-r--r-- 1
root sys 104 Jan 22 2005 ftpgroups
-rw-r--r-- 1
root sys 108 Jan 22 2005 ftphosts
-rw-r--r-- 1
root sys 114 Jan 22 2005 ftpservers
-rw-r--r-- 1
root sys 198 Jan 22 2005 ftpusers
ftpaccess primary
config file for ftpd
ftpconversions provides
tar, compression, gzip support
ftphosts allow
/ deny users from hosts
ftpservers allow
administrator to define virtual hosts
ftpusers listed
users denied access to server
There are three types of FTP users
1. Real
Users
2. Guest
Users
3. Anonymous
Users
REAL
USERS,
Are actual users listed on system, can login using shell
(ssh/telnet) and do damage also a/c to their privilege.
GUEST
USERS,
Are same as real users, but they are temporary. Should be
removed ASAP as completion of their job.
ANONYMOUS
USERS,
Are general public to access (download/upload) a common
shared location.
HOW TO
ENABLE FTP FOR REAL USER
Real users are those who actually listed / created on
system so there is no need to do anything extra for them. They can do FTP from
anywhere if not restricted.
root@sol-test-1:>/# ftp 192.168.234.133
Connected to 192.168.234.133.
220 sol-test-1 FTP server ready.
Name (192.168.234.133:root): anurag
331 Password required for anurag.
Password:
230 User anurag logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
HOW TO
ENABLE FTP FOR GUEST USER
Guest user is like real user, we need to create them
temporarily
Suppose a user “tempftp” is to be create for some time
and given access for FTP
root@sol-test-1:>/# useradd -d
/export/home/ftp/tempftp -s /bin/false tempftp
user created with shell /bin/false
root@sol-test-1:>/# mkdir -p
/export/home/ftp/tempftp
Home dir created
root@sol-test-1:>/# chowntempftp
/export/home/ftp/tempftp
owner changed
root@sol-test-1:>/# passwdtempftp
New Password:
Re-enter new Password:
passwd: password successfully changed for tempftp
root@sol-test-1:>/# ftpconfig -d
/export/home/ftp/tempftp
Updating directory /export/home/ftp/tempftp
Restricted for this particular directory
root@sol-test-1:>/# vi
/etc/ftpd/ftpaccess
# guestuser
username
guestusertempftp
Make this entry beneath the guest user,
root@sol-test-1:>/# svcadm restart ftp
So… I think almost everything is fine in above config,
except 1 or 2 things
Is it /bin/false &ftpconfig -d
/export/home/ftp/tempftp?
OK… No Prob, let’s see this /bin/false
As I said earlier that real user can login also via shell
(ssh / telnet), so if we create some Guest user, it is guest for FTP not for
system. For system it is a real valid user who should get all facilities as
other normal users have including telnet / ssh.
So… is this acceptable that I created a guest user for
FTP, later I found that the curious user is logged in via telnet and exploring
the system?
To avoid this I had given him /bin/false shell, so that
he cannot login via any shell,
We need to add this shell to /etc/shells file
root@sol-test-1:>/# vi /etc/shells
"/etc/shells" [New file]
/bin/false
wq!
Now see the effects
root@sol-test-1:>/# ftp 192.168.234.133
Connected to 192.168.234.133.
220 sol-test-1 FTP server ready.
Name (192.168.234.133:root): tempftp
331 Password required for tempftp.
Password:
230 User tempftp logged in. Access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
This user cannot go beyond this dir.
Let’s see if he is using telnet…
root@sol-test-1:>/# telnet
192.168.234.133
Trying 192.168.234.133...
Connected to 192.168.234.133.
Escape character is '^]'.
login: tempftp
Password:
Last login: Sat Dec 27 19:52:06 from sol-test-1
Connection to 192.168.234.133 closed by foreign host.
HOW TO
ENABLE FTP FOR ANONYMOUS USER
It’s the simplest one,
Just find out a default location, let’s /var/ftp
Make it restrict / limited to that folder only
root@sol-test-1:>/# ftpconfig /var/ftp
Creating user ftp
Creating directory /var/ftp
Updating directory /var/ftp
HOW TO
CHECK THE LOGGED IN USERS VIA FTP
ftpcount&ftpwho
root@sol-test-1:>/# ftpcount
Service class realusers -
0 users (no maximum)
Service class guestusers -
1 users (no maximum)
Service class anonusers -
1 users (no maximum)
root@sol-test-1:>/# ftpwho
Service class realusers:
- 0 users (no maximum)
Service class guestusers:
tempftp 4838 0.0
0.3 5352 2768 ? S
19:57:35 0:00ftpd: sol-test-1: tempftp:
IDLE
- 1 users (no
maximum)
Service class anonusers:
ftp 4840 0.0
0.2 2848 1784 ? S
19:58:03 0:00ftpd: 192.168.234.200:
anonymous/: IDLE
- 1 users (no
maximum)
HOW TO
RESTRICT USER’S ACCESS FOR FTP
Enter the name of users in following file who you do not
want to give access for FTP
root@sol-test-1:>/# vi
/etc/ftpd/ftpusers
root users is already mentioned in this file that’s why
by default root access for FTP is denied
HOW TO
RESTRICT HOSTS ACCESS FOR FTP
/etc/ftpd/ftphosts
root@sol-test-1:>/# vi
/etc/ftpd/ftphosts
"/etc/ftpd/ftphosts" 4 lines, 108 characters
# ident "@(#)ftphosts 1.1
01/06/26 SMI"
#
# FTP server individual user host access file, see
ftphosts(4).
#
deny 192.168.234.134 ç
wq!
root@sol-test-1:>/# svcadm restart ftp
I denied the access of 192.168.234.134 for ftp,
let’s check this
root@sol-tst-2:>/# ftp 192.168.234.133
Connected to 192.168.234.133.
220 sol-test-1 FTP server ready.
Name (192.168.234.133:root): anonymous
331 Guest login ok, send your complete e-mail address as
password.
Password:
530 Login incorrect.
Login failed.
ftp> bye
221 Goodbye.
Check the msgs at sol-test-1
root@sol-test-1:>/# tail -f
/var/adm/messages
[………………]
Dec 27 23:52:00 sol-test-1 ftpd[5057]: [ID 512583
daemon.notice] FTP LOGIN REFUSED (name in /etc/ftpd/ftphosts) FROM sol-tst-2
[192.168.234.134], anonymous
Dec 27 23:52:15 sol-test-1 ftpd[5058]: [ID 512583
daemon.notice] FTP LOGIN REFUSED (name in /etc/ftpd/ftphosts) FROM sol-tst-2
[192.168.234.134], anonymous
HOW TO RESTRICT
/ ALLOWPARTICULAR USER FROM PARTICULAR HOST FOR FTP
Instead of restricting entire host we can restrict a
single user from that host, and also allow that user from other hosts
root@sol-test-1:>/# vi
/etc/ftpd/ftphosts
"/etc/ftpd/ftphosts" 5 lines, 129 characters
# ident "@(#)ftphosts 1.1
01/06/26 SMI"
#
# FTP server individual user host access file, see
ftphosts(4).
#
allowanurag 192.168.234.133 192.168.234.152 ç
denyanurag 192.168.234.134 192.168.234.200 ç
wq!
root@sol-test-1:>/# svcadm restart ftp
Now user anurag is denied from 192.168.234.134 &192.168.234.200
and allowed from 192.168.234.133 &192.168.234.152
Well… consider a situation;
User anurag has two entries one in
/etc/ftpd/ftpusers
[we know that this is to deny user access, means anurag
is denied for ftp]
Other in
/etc/ftpd/ftphosts as
allowanurag 192.168.234.133 192.168.234.152
What should happen here?
At one place he is denied and at other place he is
allowed…
/etc/ftpd/ftpuserswill supersede and user anurag will
denied for FTP
Hello,
ReplyDeleteThank you for the excellent guidance for using Solaris, etc. Very much appreciated.
Cheers,
R Morris