Creating An Anonymous FTP Server With Publicfile


 Its explains about creating a server that needs to support anonymous FTP (ftp without a password) and doesn’t need to have the ability for anyone to have ‘real’ logins. The whole thing should be read-only, no write permissions. And as with everything I support, security is a must.

There are a boatload of FTP servers, almost all of which have had some vulnerability of some kind – in fact most have had bugs that lead to shell or root access. Many have added on additional security measures, such as the ability to chroot real users as well as anonymous users. However this FTP server’s needs are so minimal, any FTP server software with boatloads of configuration options are just overkill.

Publicfile: Another offering from Dan Bernstein, author of DJBDNS, another one of my favorite software packages. Publicfile offers both an FTP and HTTP server.


Publicfile offers an anonymous-only FTP server. When users connect they must supply a username (this is an unavoidable assumption of FTP servers) but no password – not even an email address – is required. It supports both active and passive FTP, and is immune to ftp-bounce attacks. The server chroots to the ftp area and changes to a non-root user. You can easily limit how many users can connect using the power of tcpserver and softlimit. Any directories and files readable by that user are available via FTP. All in all, perfectly paranoid.

Publicfile relies on two other DJB packages: ucspi-tcp and daemontools. If you don’t have these installed (they certainly didn’t come with your Linux distro) then you’ll need to install them. You might want to refer to DJBDNS articles, where it is describe how to install them and how they function.

So, onto the installation. It’s so trivial it’ll take you about two minutes:

  $ wget http://cr.yp.to/publicfile/publicfile-0.52.tar.gz
  $ tar xzvf publicfile-0.52.tar.gz
  $ cd publicfile-0.52
  $ make
  # make setup check



The ‘make setup check’ command is the part that does the installation, so it must be run as root. Once you’ve run those commands, the publicfile software will be installed in /usr/local/publicfile/bin/. There are three programs therein:
configure
 Sets up the supervise directories for the web and ftp server, as well as the directories for the content themselves.
 ftpd
 The Publicfile FTP server
 httpd
 The Publicfile HTTP server

Before we set up Publicfile, we need to create the user that the server will run as, and the logging user account as well. DJB suggests using ‘ftp’ and ‘ftplog’. Since various software packages may or may not muck with a unix account named ‘ftp’, I prefer to use ‘pubfile’ and ‘publog’ respectively.
  # for acct in pubfile publog
    do
       groupadd $acct
       useradd -g $acct -s /bin/false -c "Publicfile $acct user"
               -M -d /nada $acct
    done

Now that our users are created, we need to set up our FTP server.
  # /usr/local/publicfile/bin/configure pubfile publog /public

This sets up the following directories:/public/ftpd    The FTP daemon directory for supervise
/public/ftpd/log    The FTP daemon logging directory
/public/httpd    The HTTP daemon directory for supervise
/public/httpd/log    The HTTP daemon logging directory
/public/file/0    The anonymous FTP area[5]


Now, tell svscan to start up the ftp server:
  # ln -s /public/ftpd /service

In a few seconds you’ll have an FTP server running. Copy all the files and directories you want available into /public/file/0. To test it out, simply connect:

  $ ftp my_ftp_server
  Name (my_ftp_server:jdoe): anonymous
  230 Hi. No need to log in; I'm an anonymous ftp server.
  Remote system type is UNIX.
  Using binary mode to transfer files.
  ftp> ls
  +i2054.507,m976862021,/,      file-tests
  ftp> cd file-tests
  200 Okay.
  150 Making transfer connection...
  +i2054.96042,m977254940,r,s108147,    file1.tgz
  +i2054.96092,m962174273,r,s8246,      file2
  +i2054.96093,m976767600,r,s105638,    file3.gif
  +i2054.96096,m1030736284,r,s254,      file4.tgz
  +i2054.506,m1033422657,/,     more-files
  226 Success.
  ftp> get file2  200 Okay.
  150 Making transfer connection...
  226 Success.
  8246 bytes received in 0.00 secs (19127.6 kB/s)
  ftp> quit
  $

Everything works fine, but you may note that the file listings seem weird. DJB uses his self-created EPLF (Easily Parsed List Format) to show the info about the file.[6] Several ftp clients such as ncftp, wget, and Mozilla support this format and can convert it to humanly readable text. However if you want to configure Pubicfile to show pretty file listings always, you can apply a patch available from www.publicfile.org. Instead of compiling as I outlined above, use the following procedure instead:

  $ wget http://cr.yp.to/publicfile/publicfile-0.52.tar.gz
  $ tar xzvf publicfile-0.52.tar.gz
  $ cd publicfile-0.52
  $ wget http://publicfile.org/ftp-ls-patch
  $ patch < ftp-ls-patch
  $ make
  # make setup check


The only additions are the wget and patch commands. This re-compiles publicfile and installs it over the old version. The new patched version will be available for all subsequent connections:

  $ ftp my_ftp_server
  Name (my_ftp_server:jdoe): anonymous
  230 Hi. No need to log in; I'm an anonymous ftp server.
  ftp> ls
  +i2054.507,m976862021,/,      file-tests
  ftp> cd file-tests
  200 Okay.
  150 Making transfer connection...
  150 Making transfer connection...
  dr-xr-xr-x  2 pub  pub       4096 Sep 30 21:50 file-tests

It shows all files as being owned by pub:pub, even if this user/group id don’t exist, and shows all files as being world readable. However this output format is easier for humans to read, and is parseable by more FTP client software.

Logs are stored in /public/ftpd/log/main/ using multilog. The first element is the timestamp, the next is the client IP address, and the rest are pretty self explanatory:

  $ tail /public/ftpd/log/main/current
  @400000003d9041dc18579eec tcpserver: status: 3/40
  @400000003d9041dc1888a1cc tcpserver: pid 7699 from 192.168.217.179
  @400000003d9041dc1888e04c tcpserver: ok 7699 0:296.182.99.81:21
                                       :192.168.217.179::2417
  @400000003d9041de37c88674 192.168.217.179 dir ./0/: success
  @400000003d9041f438d66c34 192.168.217.179 dir ./0/file-tests/: success
  @400000003d9041861ac18a6c 192.168.217.179 read ./0/file-tests/file2: success
  @400000003d90420230761314 tcpserver: end 7699 status 0
  @400000003d90420230763e0c tcpserver: status: 2/40

For more information about Publicfile, including patches that may be useful should you want to use it as your HTTP server, see –>http://www.publicfile.org/ .

No comments :

Post a Comment