1. Home
  2. Tutorials
  3. Linux WU-Ftp Server Configuration
Yolinux.com Tutorial

Linux WU-Ftp Configuration Tutorial

How to enable FTP file transfer for a Linux website server

A WU-Ftp (Washington University FTP) server configuration allows users to transfer files to and from home directory and to upload and download files with their account. The user will be denied access to the rest of the system as they will be chrooted to the user home directory.

Note that the FTP file transfer protocol is used and is unencrypted, thus relying on the security of your network. While ubiquitous at one time, this is no longer prefered. See out tutorial for encrypted file transfer using an sFTP chroot configuration.

FTPd and FTP server configuration:

Many FTP programs exist. This example covers the once popular wu-ftpd (Washington University) program which once came standard with RedHat (last shipped with RedHat 8.0 but can be installed on any Linux system. RPM: wu-ftpd) There are other FTP programs including proFtpd (supports LDAP authentication, Apache like directives, full featured ftp server software), vsftpd, bftpd, pure-ftpd (free BSD and optional on Suse), etc ...

For hostile environments set up a chrooted environment for an sftp encrypted connection and the rssh restricted shell for OpenSSH. See the YoLinux.com internet security tutorial for Linux sftp and rssh configuration

Also see the preferred chrooted sftp configuration for OpenSSH 4.9+

FTPd and SELinux: To allow FTPd daemon access and FTP access to users home directories:

  • setsebool -P allow_ftpd_full_access=1
    Other wise you will get an error in /var/log/messages:
    SELinux is preventing the ftp daemon from writing files outside the home directory (./public_html).
  • setsebool -P ftp_home_dir 1

Follow with the command service ftpd restart

WU-FTPd and FTP user account configuration:

The wu-ftpd FTP server can be downloaded (binary or source) from http://wu-ftpd.therockgarden.ca/ (at one time: http://wu-ftpd.org).

There are three kinds of FTP logins that wu-ftpd provides:

  • anonymous FTP - one logs in with the username 'anonymous'
  • real FTP - log in with a real username and password and has access to the entire disk structure.
  • guest FTP - one logs in with a real user name and password, but the user is chroot'ed to his home directory and cannot escape from it. They are constrained to their home directory which also means that they don't have access to /bin/ls and other commands on the server. Thus a local minimalist environment must be set up.
This tutorial covers "guest" FTP configuration.


The file /etc/ftpaccess controls the configuration of ftp.

   # Don't allow system accounts to log in over ftp
   deny-uid %-99 %65534-
   deny-gid %-99 %65534-

   class   all   real,guest  *
   email webmaster@your-domain.com
   loginfails 5

   readme  README*    login
   readme  README*    cwd=*
   message /welcome.msg            login
   message .message                cwd=*

   compress        yes             all
   tar             yes             all
   chmod           no              guest,anonymous
   delete          no              anonymous    # delete files permission?
   overwrite       no              anonymous    # overwrite files permission?
   rename          no              anonymous    # rename files permission?
   delete          yes             guest        # delete files permission?
   overwrite       yes             guest        # overwrite files permission?
   rename          yes             guest        # rename files permission?
   umask           no              guest        # umask permission?

   log transfers anonymous,real inbound,outbound

   shutdown /etc/shutmsg

   passwd-check rfc822 warn

   # Must also create message file /etc/pathmsg of the guest directory.
   # In this case it refers to /home/user1/public_html/etc/pathmsg.
   path-filter  guest /etc/pathmsg  ^[-A-Za-z0-9_\.]*$  ^\.  ^-
   limit all 2
   noretrieve passwd .htaccess core    - Do not allow users to download files of these names
   limit-time * 20
   byte-limit in 5000                  - Limit file size
   guestuser *    - System user default categorized as a "guest". A "real" user can roam the system. Guestuser is chrooted.
   realgroup regularuserx regularusery - Assign real user privileges to members of groups "regularuserx" and "regularusery". 
                                    Visibility of the whole file system and subject to regular UNIX file permissions
   realuser user4                      - Assign real user privileges to user id "user4". 

   restricted-uid user1 user2 user3    - Restricts FTP to the specified directories
   guest-root /home/user1/public_html user1
   guest-root /home/user2/public_html user2
   guest-root /home/user3/public_html user3

Note:

  • user1, user2 and user3 refer to login accounts. Use the appropriate login name.
  • The above configuration disables anonymous FTP which allows anyone to perform an FTP login with the id anonymous and an email address as a password. To enable anonymous FTP, change the class directive to:
      class   all   real,guest,anonymous  *
              
  • GUI FTP configuration tools:
    • /usr/bin/kwuftpd
    • /sbin/linuxconf
      (Note: Linuxconf is no longer included with Red Hat 7.3 and later)
  • Red Hat Linux assigns users a user id and group id which is the same. This means that it does not matter if you use a realuser or realgroup directive as they will act the same.
  • Red Hat Linux 7.1 and later uses the xinet daemon to manage ftp connections. Thus xinetd must be running and configured to support ftp. The configuration file is /etc/xinetd.d/wu-ftpd. The command chkconfig wu-ftpd on will make the ftp server available. See xinet configuration for more info.
  • Allow override of deny-uid and/or deny-gid:
         allow-uid user-to-allow
         allow-gid group-to-allow
        
  • Optional configuration:
    • Create a group ftpchroot
    • Add users to this group
    • Use directive: guestgroup ftpchroot

[Potential Pitfall]: Flaky ftp behavior, timeouts, etc?? FTP works best with name resolution of the computer it is communicating with. This requires proper /etc/resolv.conf and name server (bind) configuration, /etc/hosts or NIS/NFS configuration.


File /home/user1/public_html/etc/pathmsg:

   A NOTE TO USERS UPLOADING FILES:
   File names may consist of letters (a-z, A-Z), numbers (0-9),
   an under score ("_"), dash ("-") or period (".") only.
   The file name may not begin with a period or dash.
   You have tried to upload a file with an inappropriate name.


The whole point of the chroot directory is to make the user's home directory appear to be the root of the filesystem (/) so one could not wander around the filesystem. Configuration of /etc/ftpaccess will limit the user to their respective directories while still offering access to /bin/ls and other system commands used in FTP operation.

As root:

   cd /home/user1
   mkdir public_html
   chown $1.$1 public_html
   touch .rhosts             - Security protection
   chmod ugo-xrw .rhosts 


Man Pages:

Server:
  • ftpd - Internet File Transfer Protocol server
File Formats:
  • /etc/ftpaccess - Configuration file for ftpd
  • /etc/ftpservers - ftpd virtual hosting configuration file. (optional)
  • /etc/ftphosts - allow or deny access to certain accounts from various hosts. (optional)
  • /etc/ftpconversions - ftpd conversions database (for tar and compression)
  • /var/log/xferlog - FTP server logfile
  • ftp - File Transfer Client program

Configuration files: (RH 8.0+)

  • PAM configuration file: /etc/pam.d/ftp
    #%PAM-1.0
    auth       required     pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
    auth       required     pam_stack.so service=system-auth
    auth       required     pam_shells.so
    account    required     pam_stack.so service=system-auth
    session    required     pam_stack.so service=system-auth
    

  • Xinetd configuration file: /etc/xinetd.d/wu-ftpd
    service ftp
    {
            disable = no
            socket_type             = stream
            wait                    = no
            user                    = root
            server                  = /usr/sbin/in.ftpd
            server_args             = -l -a
            log_on_success          += DURATION USERID
            log_on_failure          += USERID
            nice                    = 10
    }
                 
    Note: wu-FTPd is controlled by xinetd and not a stand alone service like vsFTPd.

  • Logrotate configuration file: /etc/logrotate.d/ftpd
    /var/log/xferlog {
    nocompress
    }

More information:

Man pages on related FTP commands and files:

  • chroot - Run with a special root directory
  • ftpcount - Show number of concurrent users.
  • ftpshut - close down the ftp servers at a given time
  • ftprestart - Restart previously shutdown ftp servers
  • ftpwho - show current process information for each ftp user
  • privatepw - Change WU-FTPD Group Access File Information (admin command)

FTP Pitfalls:

If you get the following ftp client user error:

ftp> ls
227 Entering Passive Mode (208,188,34,109,208,89)
ftp: connect: No route to host

This means you have firewall issues most probably on the FTP server itself. Start by removing the firewall "iptables" rules: iptables -F Add rules until you discover what is causing the problem.

Passive mode:

Passive mode can also help one past the rules:
ftp> passive
Passive mode on.
This toggles passive mode on and off. When on, FTP will be limited to ports specified in the vsftpd configuration file: vsftpd.conf with the parameters pasv_min_port and pasv_max_port

Firewall connection tracking module:

# cat /etc/sysconfig/iptables-config | grep ip_nat_ftp
IPTABLES_MODULES="ip_conntrack_ftp"

NAT firewall modules:

You can also try adding ip_nat_ftp to the list of auto-loaded modules: (This will also load the dependency: ip_conntrack_ftp.)
# cat /etc/sysconfig/iptables-config | grep ip_nat_ftp
IPTABLES_MODULES="ip_nat_ftp"
Then restart the firewall: /etc/init.d/iptables condrestart

FTP will change ports during use. The ip_conntrack_ftp module will consider each connection "RELATED". If iptables allows RELATED and ESTABLISHED connections then FTP will work. i.e. rule: /etc/sysconfig/iptables

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

FTP fails because it can not change to the users home directory:

Error:
[user1@nodex ~]$ ftp node.domain.com
Connected to XXX.XXX.XXX.XXX.
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (XXX.XXX.XXX.XXX:user1):
331 Please specify the password.
Password:
500 OOPS: cannot change directory:/home/user1
Login failed.
ftp> bye

This is often a result of SELinux preventing the vsftpd process from accessing the user's home directory. As root, grant access with the following command:
setsebool -P ftp_home_dir 1
Followed by: service vsftpd restart

Test your vsftpd SELinux settings: getsebool -a | grep ftp

allow_ftpd_anon_write --> off
allow_ftpd_full_access --> off
allow_ftpd_use_cifs --> off
allow_ftpd_use_nfs --> off
allow_tftp_anon_write --> off
ftp_home_dir --> on
ftpd_disable_trans --> off
ftpd_is_daemon --> on
httpd_enable_ftp_server --> off
tftpd_disable_trans --> off

FTPd SELinux man page

FTP Linux clients:

  • FileZilla: FTP/sFTP client GUI
  • gftp: GUI GTK+ Multi-threaded client. File transfer directory browsing and compare. Multiple protocols: FTP, FTPS (control connection only), HTTP, HTTPS, SSH and FSP protocols. Proxy support. Comes with Red Hat / Fedora Core.
  • KFTPgrabber: GUI KDE based client.simultaneous FTP sessions in separate tabs. Ability to limit upload and download speed.
  • kbear: GUI KDE based client. Connect to multiple servers, transfer files, directory browsing, file content browsing. Comes with S.U.S.e. Linux.
  • ftp: (/usr/kerberos/bin/ftp) kerberos enabled console ftp client. (RPM package FC3: krb5-workstation)

Basic user security:

When hosting web sites, there is no need to grant a shell account which only allows the server to have more potential security holes. Current systems can specify the user to have only FTP access with no shell by granting them the "shell" /sbin/nologin provided with the system or the "ftponly" shell described below. The shell can be specified in the file /etc/passwd of when creating a user with the command adduser -s /sbin/nologin user-id

Note that WU-FTP is unencrypted, by definition unsecure and is reliant on a secure network to provide security.

[Potential Pitfall]: Red Hat 7.3 server with wu-ftp server 2.6.2-5 does not support this configuration to prevent shell access. It requires users to have a real user shell. i.e. /bin/bash It works great in older and current Red Hat versions. If it works for you, use it, as it is more secure to deny the user shell access. You can always deny telnet access. You should NOT be using this problem ridden version of ftpd. Use the latest wu-ftpd-2.6.2-11 which supports users with shell /opt/bin/ftponly

  1. Disable remote telnet login access allowing FTP access only:

    Change the shell for the user in /etc/passwd from /bin/bash to be /opt/bin/ftponly.

    ...
    user1:x:502:503::/home/user1:/opt/bin/ftponly
    ...
        

    Create file: /opt/bin/ftponly.
    Protection set to -rwxr-xr-x 1 root root
    with the command: chmod ugo+x /opt/bin/ftponly
    Contents of file:

    #!/bin/sh
    #
    # ftponly shell
    #
    trap "/bin/echo Sorry; exit 0" 1 2 3 4 5 6 7 10 15
    #
    Admin=root@your-domain.com
    #System=`/bin/hostname`@`/bin/domainname`
    #
    /bin/echo
    /bin/echo "********************************************************************"
    /bin/echo "    You are NOT allowed interactive access."
    /bin/echo
    /bin/echo "     User accounts are restricted to ftp and web access."
    /bin/echo
    /bin/echo "  Direct questions concerning this policy to $Admin."
    /bin/echo "********************************************************************"
    /bin/echo
    #
    # C'ya
    #
    exit 0
        

    The last step is to add this to the list of valid shells on the system.
    Add the line /opt/bin/ftponly to /etc/shells.

    Sample file contents: /etc/shells

    /bin/bash
    /bin/bash1
    /bin/tcsh
    /bin/csh
    /opt/bin/ftponly
        
    See man page on /etc/shells.

    An alternative would be to assign the shell /bin/false or /sbin/nologin which became available in later releases of Red Hat, Debian and Ubuntu. In this case the shell /bin/false or /sbin/nologin would have to be added to /etc/shells to allow them to be used as a valid shell for FTP while disabling ssh or telnet access.

  2. Set file quotas to limit user account.

For more on Linux security see the: YoLinux.com Internet web site Linux server security tutorial

technical book image Books:

Amazon book image "Ubuntu Unleashed 2017 edition:"
Covering 16.10 and 17.04, 17.10 (12th Edition)
by Matthew Helmke, Andrew Hudson and Paul Hudson
Sams Publishing, ISBN# 0134511182

Amazon.com
Amazon book image "Ubuntu Unleashed 2013 edition:"
Covering 12.10 and 13.04 (8th Edition)
by Matthew Helmke, Andrew Hudson and Paul Hudson
Sams Publishing, ISBN# 0672336243
(Dec 15, 2012)

Amazon.com
Amazon book image "Ubuntu Unleashed 2012 edition:"
Covering 11.10 and 12.04 (7th Edition)
by Matthew Helmke, Andrew Hudson and Paul Hudson
Sams Publishing, ISBN# 0672335786
(Jan 16, 2012)

Amazon.com
Amazon book image "Red Hat Enterprise Linux 7: Desktops and Administration"
by Richard Petersen
Surfing Turtle Press, ISBN# 1936280620
(Jan 13, 2017)

Amazon.com
Amazon book image "Fedora 18 Desktop Handbook"
by Richard Petersen
Surfing Turtle Press, ISBN# 1936280639
(Mar 6, 2013)

Amazon.com
Amazon book image "Fedora 18 Networking and Servers"
by Richard Petersen
Surfing Turtle Press, ISBN# 1936280698
(March 29, 2013)

Amazon.com
Amazon book image "Fedora 14 Desktop Handbook"
by Richard Petersen
Surfing Turtle Press, ISBN# 1936280167
(Nov 30, 2010)

Amazon.com
Amazon book image "Fedora 14 Administration and Security"
by Richard Petersen
Surfing Turtle Press, ISBN# 1936280221
(Jan 6, 2011)

Amazon.com
Amazon book image "Fedora 14 Networking and Servers"
by Richard Petersen
Surfing Turtle Press, ISBN# 1936280191
(Dec 26, 2010)

Amazon.com
Amazon book image "Practical Guide to Ubuntu Linux (Versions 8.10 and 8.04)"
by Mark Sobell
Prentice Hall PTR, ISBN# 0137003889
2 edition (January 9, 2009)

Amazon.com
Amazon book image "Fedora 10 and Red Hat Enterprise Linux Bible"
by Christopher Negus
Wiley, ISBN# 0470413395

Amazon.com
Amazon book image "Red Hat Fedora 6 and Enterprise Linux Bible"
by Christopher Negus
Sams, ISBN# 047008278X

Amazon.com
Amazon book image "Fedora 7 & Red Hat Enterprise Linux: The Complete Reference"
by Richard Petersen
Sams, ISBN# 0071486429

Amazon.com
Amazon book image "Red Hat Fedora Core 6 Unleashed"
by Paul Hudson, Andrew Hudson
Sams, ISBN# 0672329298

Amazon.com
Amazon book image "Red Hat Linux Fedora 3 Unleashed"
by Bill Ball, Hoyt Duff
Sams, ISBN# 0672327082

Amazon.com
Amazon book image "Red Hat Linux 9 Unleashed"
by Bill Ball, Hoyt Duff
Sams, ISBN# 0672325888
May 8, 2003

I have the Red Hat 6 version and I have found it to be very helpful. I have found it to be way more complete than the other Linux books. It is the most complete general Linux book in publication. While other books in the "Unleashed" series have dissapointed me, this book is the best out there.

Amazon.com
Amazon book image "Apache Server Bible 2"
by Mohammed J. Kabir
ISBN # 0764548212, Hungry Minds

This book is very complete covering all aspects in detail. It is not your basic reprint of the apache.org documents like so many others.

Amazon.com
Amazon book image "Pro DNS and Bind"
by Ronald Aitchison
Apress, ISBN# 1590594940
Amazon.com