Skip Navigation Links | |
Exit Print View | |
System Administration Guide: Network Services Oracle Solaris 11 Express 11/10 |
Part I Network Services Topics
Part II Accessing Network File Systems Topics
4. Managing Network File Systems (Overview)
5. Network File System Administration (Tasks)
6. Accessing Network File Systems (Reference)
8. Planning and Enabling SLP (Tasks)
10. Incorporating Legacy Services
Part V Serial Networking Topics
15. Solaris PPP 4.0 (Overview)
16. Planning for the PPP Link (Tasks)
17. Setting Up a Dial-up PPP Link (Tasks)
18. Setting Up a Leased-Line PPP Link (Tasks)
19. Setting Up PPP Authentication (Tasks)
20. Setting Up a PPPoE Tunnel (Tasks)
21. Fixing Common PPP Problems (Tasks)
22. Solaris PPP 4.0 (Reference)
23. Migrating From Asynchronous Solaris PPP to Solaris PPP 4.0 (Tasks)
25. Administering UUCP (Tasks)
Part VI Working With Remote Systems Topics
27. Working With Remote Systems (Overview)
28. Administering the FTP Server (Tasks)
Administering the FTP Server (Task Map)
How to Define FTP Server Classes
How to Control the Number of Invalid Login Attempts
How to Set Up Anonymous FTP Users
How to Create the /etc/shells file
How to Customize Message Files
How to Create Messages to Be Sent to Users
How to Configure the README Option
Controlling Access to Files on the FTP Server
How to Control File Access Commands
Controlling Uploads and Downloads on the FTP Server
How to Control Uploads to the FTP Server
How to Control Downloads to the FTP Server
How to Enable Limited Virtual Hosting
How to Enable Complete Virtual Hosting
Starting the FTP Server Automatically
How to Start an FTP Server Using SMF
How to Start a Standalone FTP Server in the Background
How to Start a Standalone FTP Server in the Foreground
How to Shut Down the FTP Server
How to Check syslogd for FTP Server Messages
How to Use greeting text to Verify ftpaccess
How to Check the Commands Executed by FTP Users
Configuration Help for Busy Sites
29. Accessing Remote Systems (Tasks)
Part VII Monitoring Network Services Topics
You can use the following configuration files in the /etc/ftpd directory to control access to the FTP server.
ftpusers is used to list users who are denied access to the FTP server.
ftphosts is used to allow or deny login from various hosts to various accounts on the FTP server.
ftpaccess is the main FTP configuration file. The FTP server only reads the /etc/ftpd/ftpaccess file if called with the -a option. When the ftpaccess file is used, all users must be members of a class to be allowed access to the FTP server. You can specify many ftpaccess directives that apply only to a particular class.
For further information, see ftpusers(4), ftphosts(4), and ftpaccess(4).
Note - In all FTP server configuration files, lines beginning with # signs are treated as comments.
To log in to the FTP server, users must be members of a class when the ftpaccess file is used. To add the class directive to the ftpaccess file, you specify the class name, typelist of users who are permitted access from a particular host.
For more information, see How to Obtain Administrative Rights in System Administration Guide: Security Services.
class class typelist addrglob[addrglob...]
Keyword that is used to define FTP users.
A name that is defined by the class keyword. Each login is compared against a list of defined classes. The logged in user is considered a member of the first class matched.
A comma-separated list of the keywords that match the three types of users: anonymous, guest, and real.
A globbed domain name or a globbed numeric address. The addrglob can also be the name of a file, starting with a slash (`/`), which contains additional address globs: address:netmask or address/cidr.
Here are some examples of globbed addresses:
Numeric IPv4 address: 10.1.2.3
Globbed domain name *.provider.com
Globbed numeric IPv4 address 10.1.2.*
Numeric IPv4 address:netmask 10.1.2.0:255.255.255.0
Numeric IPv4 address/CIDR 10.1.2.0/24
Numeric IPv6 address: 2000::56:789:21ff:fe8f:ba98
Numeric IPv6 address/CIDR: 2000::56:789:21ff:fe8f:ba98/120
Example 28-1 Defining FTP Server Classes
class local real,guest,anonymous *.provider.com class remote real,guest,anonymous *
The previous example defines the local class as any user of the type real, guest, or anonymous who logs in from *.provider.com. The last line defines remote as any user who logs in from anywhere other than *.provider.com.
You can limit the number of simultaneous logins by users of a certain class with directives that are set in the ftpaccess file. Each login limit contains the name of a class, a UUCP-style days-of-week list, and a message file to display if the limit is exceeded.
To set user login limits, follow the steps in the next procedure.
For more information, see How to Obtain Administrative Rights in System Administration Guide: Security Services.
limit class n times [message-file]
Keyword that is used to restrict simultaneous logins by the specified number of users of a defined class at certain connection times.
A name that is defined by the class keyword. Each login is compared against a list of defined classes. The logged-in user is considered a member of the first class matched.
Number of users.
Day-of-week and time-of-day when the class can connect. Use Any for any day.
Message file that is displayed if a user is denied access.
Example 28-2 Setting User Login Limits
limit anon 50 Wk0800-1800 /etc/ftpd/ftpmsg.deny limit anon 100 Any /etc/ftpd/ftpmsg.deny limit guest 100 Any /etc/ftpd/ftpmsg.deny
The first line of the preceding example shows a limit of 50 simultaneous logins that are allowed to users of class anon during weekly work hours. The second line limits anon users to 100 simultaneous logins outside of working hours. The last line shows a limit of 100 guest logins that are allowed at any time. For information on how to specify day and time parameters, see ftpaccess(4).
The example further indicates that the content of the file /etc/ftpd/ftpmsg.deny is returned when a specified login limit is reached, assuming ftpmsg.deny exists. For information on using the /usr/sbin/ftpcount command to view the number and login limit for each class of user who is logged in at a particular time, see ftpcount(1).
Users are allowed login to the FTP server unless a specified limit is reached. Anonymous users are logged in as the user ftp. Real users are logged in as themselves, and guests are logged in as real users with a chroot environment to limit access privileges.
For information on using the /usr/sbin/ftpwho command to check the identities of the users logged into the FTP server, see ftpwho(1).
If a login to the FTP server fails because of a problem such as misspelling required information, login is usually repeated. The user is allowed a specific number of consecutive login attempts before a message is logged to the syslog file. At that point, the user is disconnected. You can set a failure limit on the number of login attempts by following steps in the next procedure.
For more information, see How to Obtain Administrative Rights in System Administration Guide: Security Services.
loginfails n
Keyword that is used to assign the number of login failures that are permitted before the FTP connection is terminated
Number of times a login can fail
Example 28-3 Controlling the Number of Invalid Login Attempts
loginfails 10
The preceding example states that the user is disconnected from the FTP server after 10 failed login attempts.
The /etc/ftpd/ftpusers file lists names of users who are not allowed to log in to the FTP server. When login is attempted, the FTP server checks the /etc/ftpd/ftpusers file to determine whether the user should be denied access. If the user's name is not found in that file, the server then searches the /etc/ftpusers file.
If the user's name is matched in /etc/ftpusers, a syslogd message is written with a statement that the match was found in a deprecated file. The message also recommends the use of /etc/ftpd/ftpusers instead of /etc/ftpusers.
Note - Support for the /etc/ftpusers file has been deprecated in this release. If the /etc/ftpusers file exists when the FTP server is installed, the file is moved to /etc/ftpd/ftpusers.
For additional information, see syslogd(1M), in.ftpd(1M), and ftpusers(4)
For more information, see How to Obtain Administrative Rights in System Administration Guide: Security Services.
Example 28-4 Disallowing FTP Server Access
root daemon bin sys adm lp uccp nuucp listen nobody noaccess nobody4
The previous example lists the typical entries in the ftpusers file. User names match entries in the /etc/passwd. The list generally includes the root and other administrative and system application identities.
The root entry is included in the ftpusers file as a security measure. The default security policy is to disallow remote logins for root. The policy is also followed for the default value that is set as the CONSOLE entry in the /etc/default/loginfile. See login(1).
In addition to the controls mentioned previously, you can add explicit statements to the ftpaccess file to restrict access to the FTP server.
For more information, see How to Obtain Administrative Rights in System Administration Guide: Security Services.
defaultserver deny username [username...]
Keyword that is used to identify the non-virtual server to which access can be denied or allowed
Login name of a user with restricted access to the defaultserver
defaultserver allow username [username...]
defaultserver private
Example 28-5 Restricting Access to the Default FTP Server
defaultserver deny * defaultserver allow username
The previous example states that the FTP server denies access to all users except anon users and those users who are listed on the allow line.
You can also use the ftphosts file to deny access to particular login accounts from various hosts. See ftphosts(4) for additional information.