Nodrahc Technologies Inc. wrote:
> 1) Change the umask of user ftp (prefered)
> 2) Prevent anonymous ftp users to create folders (more drastic)

My hint to you is to either forget about an incoming/ completely or to
configure it that way that retrieving of files is impossible or (if your
server software isn't capable of this) to prevent ls to show directory
contents.

If you don't take care of this your ftp server will soon turn into a
warez and p0rn pit and all the hell brakes lose.

Even if you take the steps above to tighten up your incoming/ you will
find files uploaded by robot scripts in there every day (those scripts
try to upload stuff and to download it again to find ftp servers with
'open' incoming/ directories to abuse those as warez pits).


BTW.. get yourself wu-ftpd-2.6.2-pre8.src.rpm from www.rpmfind.net,
unpack it on some linux box (rpm2cpio < wu-ftpd-2.6.2-pre8.src.rpm |
cpio -i -d) and transfer the source tar.bz2 to an SGI. You have to
replace a vfork() into a fork() somewhere in the sources to make that
thing actually compile given this configuration:

./configure --prefix=/usr/local --with-etc-dir=/usr/local/etc/wu-ftp
--with-pid-dir=/var/tmp --with-log-dir=/var/adm
--with-base-homedir=/usr/people --with-alt-homedir=/tmp
--with-openssl-dir=/usr/freeware/lib/openssl --enable-tls
--enable-ls --disable-numericuid

You can also add other options (--enable-passwd or the like). This will
build a working wu-ftpd (i never got it to work without the
--internal-ls though, i don't know why; my chroot() seems to be OK, IRIX
ftpd likes it but with wu-ftpd no go).

Ah yes.. i even edited the src/Makefile and replaced -lssl -lcrypto with
the complete pathnames to the archive library versions of ssl and crypto
(/usr/freeware/lib32/libssl.a ..) to make a nice static binary (the
recommended way with OpenSSL btw).

$ ldd /usr/local/sbin/in.ftpd
libcrypt.so => /usr/lib32/libcrypt.so
libc.so.1 => /lib32/libc.so.1


Set up your anon ftp chroot() like this:

mkdir -p /ftp/etc /ftp/lib32 /ftp/bin /ftp/incoming /ftp/pub /ftp/dev

Put /lib32/rld and /lib32/libc.so.1 into /ftp/lib32/, put /dev/zero into
/ftp/dev/ and copy compress, gzip, tar, ls, md5sum and cksum into
/ftp/bin (ah yes.. better mknod the /ftp/dev/zero ;-).

Copy /etc/passwd and /etc/group into /ftp/etc (be sure to remove any
password hashes! :-) to display user and groupnames within an ftp
session instead of boring numeric UIDs and GIDs.

Copy all the files needed for TLS into /usr/freeware/lib/openssl/certs/
(i even added a link /usr/local/ssl/ to /usr/freeware/lib/openssl/) and
configure your wu-ftpd config files in /usr/local/etc/wu-ftp/.

Finaly add an entry (disable the given IRIX ftpd ones!) for wu-ftp
into your /etc/inetd.conf:

# WU-FTP
#
ftp stream tcp nowait root /usr/local/sbin/in.ftpd \
in.ftpd -l -a -z authmode=server

When you are done it will look like this:

220 your.machine.foo FTP server ready.
Name (your.machine.foo:rhoenie): ftp
331 Guest login ok, send your complete e-mail address as password.
Password: xxxxxxxx
230 Guest login ok, access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
200 PORT command successful.
150 Opening ASCII mode data connection for directory listing.
total 0
drwxr-xr-x 2 root sys 76 Nov 5 12:09 bin
drwxr-xr-x 2 root sys 17 Nov 4 11:15 dev
drwxr-xr-x 2 root sys 31 Nov 6 10:24 etc
drwx-wx-wt 4 ftpadm daemon 4096 Nov 1 12:33 incoming
drwxr-xr-x 2 root sys 49 Nov 5 09:55 lib32
drwxr-xr-x 2 root sys 109 Nov 4 23:19 msgs
drwxr-xr-x 11 rhoenie sys 140 Nov 5 23:02 pub
226 Transfer complete.
ftp> quit
221-You have transferred 0 bytes in 0 files.
221-Total traffic for this session was 1505 bytes in 0 transfers.
221-Thank you for using the FTP service on your.machine.foo.
221 Goodbye.

... cute, eh? :-)

--
PGP2 Key-ID: 666R/36540865 1997-06-09 Marcus Herbert
GPG Key-ID: 1024D/2E2DAB44 2000-01-30
Geek-Code: GCS b O e+ h

rhoenie@indigo.homeunix.org (Marcus Herbert) wrote in message news:...

> My hint to you is to either forget about an incoming/ completely or to
> configure it that way that retrieving of files is impossible or (if your
> server software isn't capable of this) to prevent ls to show directory
> contents.

[snip...]

> BTW.. get yourself wu-ftpd-2.6.2-pre8.src.rpm from www.rpmfind.net,
> unpack it on some linux box (rpm2cpio < wu-ftpd-2.6.2-pre8.src.rpm |
> cpio -i -d) and transfer the source tar.bz2 to an SGI. You have to

[more stuff deleted]

Thanks for your help Marcus.

I actually installed proFTPd from the freeware disks. It is much more
secure than the original ftp server that comes with Irix. Best of all,
it took me no more than 10 minutes to configure the server and make it
secure. I don't have problems with innapropriate material in my
incoming directory anymore. I definitely recommend proFTPd to anyone
who uses ftp on Irix, specially if you want to use anonymous uploads.

Thanks again,

John.