FTP configuration and application under Linux

Generally, wu-ftpd provides three types of ftp login:

1, anonymous ftp
2, real ftp
3, guest ftp

anonymous ftp The most widely used type of ftp. Usually, the user logs in with an anonymous username and an email address.

real ftp is to log in with the real username and password. After logging in, the user can access the entire directory structure. It is generally believed that real ftp can pose a great threat to system security, so unless you have to, you should try to avoid using real ftp.

guest ftp is also a form of real ftp, the difference is that after a geust login, he can not access content other than the host directory.

In wu-ftpd, ftp access is controlled through a specific configuration file. The main configuration files are:

/etc/ftpaccess
/etc/ftpusers
/etc/ftphosts
/etc/ftpconversions

And so on, let's talk about these configuration files separately.

ftpaccess is the main ftp configuration file. In this file, you can control all aspects of ftp. Due to the variety of control commands, we will use 2.6 version of wu-ftpd as an example. Speaking, the relevant documents can be found in the wu-ftpd manual.

1. Access Control

class [...]
Description: This command is used to define the user class. The purpose of defining the user class is to facilitate the control of the service. Where:

is a class name, a string;

can be separated by a comma "anonymous", "guest", "real" keyword, real description in the user class The user can access the ftp with a real account. The anonymous user indicates that the user in the user class uses anonymous ftp, and the guest indicates that the user in the user class accesses the ftp with the guest account.

To define the source IP address or domain name of this user class, you can use the following definition method: ip address: subnet mask, or address/cidr. Here you can also specify a file that contains the definition of the source ip address of the user class. You can also use an exclamation point to indicate an address class other than the one.

Example:

class anon anonymous *
class mng real 210.221.80.0/24
class user real !domainname.com

The first definition Anon user class, for anonymous users, can be from anywhere.
The second article defines the mng user class, which is a real user, from the 210.221.80 network segment.
The third article defines the user user class, which is a real user, and can be any address other than domainname.com

We will then look at other configurations of ftpaccess.

deny
Description: Deny access to the source address and display the contents of the file. It can also be a file that contains the definition of the rejected ip address class. Can use ! Nameserverd to reject client requests without registered domain names.

For example:
deny !nameserverd /home/ftp/etc/noname.msg

Reject client requests without registered domain names and display the contents of noname.msg.

guestgroup [...]
guestuser [...]
realgroup [...]
realuser [...]
Description: If the client is in the middle The real user is treated as a guest user; if the client is a real user, the client is also treated as a guest user; realgroup and realuser treat the non-anonymous connection as a real user connection. And you can also use the user id and group id instead.

For example: guestuser *
realgroup admin

means that any non-anonymous connection other than the admin group is considered a guest user connection, and admin is still considered a real user connection.

nice []
Description: If the user is connected, adjust the value of the ftpd process to the value specified in the process.

keepalive
Description: Whether to keep the data channel active during the session.

timeout accept
timeout connect
timeout data
timeout idle
timeout maxidle
timeout RFC931
Description: Set various timeouts.

accept sets the timeout for the ftpd service to wait for a passive data channel connection request. (default is 120 seconds)
connect sets the timeout for the ftpd service standard data channel connection request. (The default is 120 seconds)
data sets the ftpd service to wait for the client to have no action on the data channel for a timeout. (Default is 1200 seconds)
idle Sets the ftpd service to wait for the client user to have no action on the command channel for a timeout. (default is 900 seconds)
maxidle Sets the upper limit of the longer idle time that users can set on the client. (Default is 10 seconds)
RFC931 The maximum time to set up an RFC931 protocol session. Zero will cancel support for the protocol.

tcpwindows []
Description: Set the size of the tcp window. Generally, the default value of the Linux system is 6. This value can be increased if the network connection is good, otherwise it should be reduced.

Let's look at other configurations of ftpaccess.

file-limit [] []
Description: Used to limit the number of files that users in a given class can transfer. Can be divided into three categories of in, out, and total. If no class is specified, the option will be applied to all classes that do not have a transfer file limit. The optional parameter raw is used to limit the total traffic.

byte-limit [] []
Description: Description: Used to limit the amount of data traffic that can be transferred by users in a given class. Can be divided into three categories of in, out, and total. If no class is specified, the option will be applied to all classes that do not have a transfer file limit. The optional parameter raw is used to limit the total traffic.

limit-time {*| Anality| Guest}
Description: The total time used to limit an ftp session. The default is unlimited and real users are not restricted.

guestserver []
Description: Control which host is used to provide anonymous or guest access. If not specified, all anonymous or guest accesses are denied.

limit
Description: Controls the ftp designation within a certain period of time, when the maximum number of limits is reached, the content displayed.