Friday, October 10, 2008

HowTo: Setup an Anonymous FTP server on FreeBSD

To test the speed differences between SFTP and FTP I decided to setup an anonymous FTP server on my trusted old 266 Mhz Celeron running FreeBSD 7.0.

The File Transfer Protocol (FTP) provides a simple and classic method for transferring files from one computer to another across the internet.

FreeBSD base install includes FTP server software, namely ftpd.

I'm fully aware of the security implications regarding FTP's transmission of usernames and passwords in clear text hence the choice of an anonymous FTP server in real-only mode.

Let's start by creating a ftp user:
  • % su
  • # adduser
Username: ftp
Full name: Anonymous FTP user
Uid (Leave empty for default):
Login group [ftp]:
Login group is ftp. Invite ftp into other groups? []:
Login class [default]:
Shell (sh csh tcsh bash rbash zsh nologin) [sh]: nologin
Home directory [/home/ftp]: /var/ftp
Use password-based authentication? [yes]: no
Lock out the account after creation? [no]: no
Username : ftp
Password :
Full Name : Anonymous FTP user
Uid : 1004
Class :
Groups : ftp
Home : /var/ftp
Shell : /usr/sbin/nologin
Locked : no
OK? (yes/no): yes
adduser: INFO: Successfully added (ftp) to the user database.
Add another user? (yes/no): no
Anonymous FTP restricts access to the home directory of the user ftp. So let's create an additional directory:
  • # mkdir -p /var/ftp/pub
  • # chown ftp:ftp /var/ftp/pub
From the point of view of the user /var/ftp is the root directory, and he cannot access any files outside of the ftp directory.

To display a welcome notice before users login edit the /etc/ftpwelcome file:
  • # vi /etc/ftpwelcome
After a successful login the contents of the /etc/ftpmod file are displayed to the user.
  • # vi /etc/ftpmod
Next let's proceed by enabling the ftpd server in /etc/inetd.conf:
  • # echo "ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l -S -A -r" >> /etc/inetd.conf
In which:
-l default flag
-r read-only mode
-o write-only mode
-A anonymous FTP connections only
-S logging of all anonymous FTP activity
The -S flag allows logging to /var/log/ftpd, however the file needs to exist before ftpd can use it:
  • # touch /var/log/ftpd
To start ftpd at boot time:
  • # echo 'inetd_enable="YES"' >> /etc/rc.conf
Having finished the configurations steps we can start ftpd immediately by:
  • # /ect/rc.d/inetd start
You can now log on to your FTP server by typing:
  • # exit
  • % ftp localhost
In which the username can be either ftp or anonymous and the password can be anything. Commands such as ls, cp, pwd and less work just like in tcsh and bash shells. To quit the FTP session type exit.

And we're done ;)

Additional information:
FreeBSD Handbook
man ftpchroot
man ftpd
man chroot
man inetd


Anonymous said...

Thank you, this helped me alot!

tangram said...

Glad it helped ;)