Securing ftpd

These instructions are probably specific to wu-ftpd but certainly can be extended to proftpd The idea here is to accept ftp connections ONLY from localhost for users, and from anywhere for anonymous access (of course this sounds backwards, but we are using ssh tunneling to make our users appear to connect from localhost).

1. Compile wu-ftpd (somebody send me info on compiling this if there is anything special to note)
2. create an ftpaccess file with two classes; one for the real users and another for the anonymous users:

   
   class localreal real ftpserver
   class anyanon anonymous *
   
   limit   anyanon   10   Any              /etc/msgs/msg.dead
   
   readme  README*    login
   readme  README*    cwd=*
   
   message /welcome.msg            login
   message .message                cwd=*
   
   compress        yes             all
   tar             yes             all
   
   log commands real
   log transfers anonymous,real inbound,outbound
   
   shutdown /etc/shutmsg
   
   email user@hostname

   The big thing to remember here is to use the name of the ftp server in the line for the class localreal. This line

   class localreal real ftpserver

   restricts members of the localreal class to access only from the machine ftpserver. The next line

   class anyanon anonymous *

   allows anonymous access from any host.
3. Now teach your users to make ssh tunnels from their desktop machines to ftpserver, and they will be able to use ftp. Remember that scp (part of the ssh package) is easier for Unix users. PC users will want to use WS-FTP and ssh tunneling to transfer files.

4. Edit /etc/inetd.conf to wrap ftpd. Here is what your /etc/inetd.conf file should look like:

   
   ftp    stream tcp  nowait root   /usr/sbin/tcpd       in.ftpd -l -a

5. After making the above changes send a HUP to the inetd process