%ents; ]> Jonathan Singer

jsinger@genome.wi.mit.edu

Bernhard Rosenkraenzer

bero@redhat.com

Developer Lauri Watts

vampyr@atconnex.net

Reviewer 2000 Jonathan Singer &FDLNotice; 14/12/2000 0.2.0 &kwuftpd; is a KDE front-end to editing wu-ftpd's ftpaccess files. KDE kwuftpd kdeadmin ftp server configuration Unix operating systems are perhaps best known for their role in running servers. It can be difficult, however, for users to configure the files necessary to manage those services. At the same time, many distributors overcompensate for that difficulty by shipping systems that default to dangerously open configurations. &kwuftpd; is a KDE front-end to editing wu-ftpd's ftpaccess files. &kwuftpd; was originally written for BeroFTPD 1.2.1 and has been adapted to the version of wu-ftpd 2.6.1 found in &RedHat; Linux 7.0. If you are using a newer version of wu-ftpd with more features, you'll have to update your &kwuftpd; (or edit ftpaccess by hand) to make use of them. &kwuftpd; is still beta; you should make a backup copy of your ftpaccess file before editing it with &kwuftpd;. &kwuftpd; was written by Bernhard Rosenkraenzer bero@redhat.com and is (c) 2000 &RedHat;, Inc. Beyond the usual disclaimers that come with software (We take no responsibility for anything bad that might happen.), it should be pointed out that &kwuftpd; controls the ability of users to connect to your system and add, delete and modify files. Some things to keep in mind: &kwuftpd; makes it easier to establish a secure server -- it does not guarantee it. There is a wealth of books, web sites and courses on network security and administrators should take advantage of them. Examples given in this documentation are intended to show the operation of &kwuftpd;. They are not security recommendations and should not be treated as such. Be sure to back up the /etc/ftpaccess file before modifying it with &kwuftpd;. &kwuftpd; is only valuable on a system with a working &FTP; server. Setting up a server is beyond the scope of this document, but in a nutshell: wu-ftpd or a similar &FTP; server must be installed. The anonftp package can also be helpful to enable anonymous &FTP;. The /etc/inetd.conf file should contain a line like: # ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd -l -a Uncomment the line by removing the # from the start of the line. If your system shipped with the line uncommented, treat it as a warning sign and comment out other services that you do not want. Restart /etc/inetd.conf. (Entering /etc/rc.d/init.d/inet restart at the command-line works on Red Hat and similar systems.) To launch &kwuftpd;, select System FTPD Editor from the KDE menu. Or type kwuftpd at the command-line. The standard &Qt; and KDE command-line options are available, and are displayed by typing kwuftpd --all. &kwuftpd; often asks the user to distinguish between three types of users: Anonymous For use by anyone who can connect to the server, these users log in as ftp or anonymous and submit their email address as the password. Guest Users with &FTP; accounts in /etc/ftpusers but not full accounts on the system. Real Users with accounts on the system. File Load /etc/ftpaccess Open /etc/ftpaccess, the standard wu-ftpd configuration file, for editing. File Load other file Open a different file for editing. Useful if you want to experiment with a different file before committing your changes to /etc/ftpaccess. File Save /etc/ftpaccess Save changes to /etc/ftpaccess. File Save other file Save changes to a file to be specified. File Quit Close &kwuftpd;. F1 Help Contents... Open this document. ShiftF1 Help What's This Select this command and then click on an item to learn more about it. &kwuftpd; has very extensive What's This documentation. Help Report Bug... Open a convenient dialog for reporting bugs in &kwuftpd;. Help About KWuFTPd... Provides information about &kwuftpd;. Help About KDE... Provides information about the KDE project. The User Classes Panel The User Classes Panel The User Classes Panel This panel allows you to create user classes for certain IP addresses or blocks of addresses and to control the privileges of those classes. For example, this enables you to allow anonymous or guest users greater than normal permissions when they log in from certain machines. To create a new class, hit the Add Class button and, in the resulting dialog box, enter the name of the new class, the privilege levels that can belong to the class (more on this below) and the IP address for that class. A * character can be used to define a block of addresses. (For example, 127.0.0.*includes all local users.) When done, hit OK. Back in the User Classes panel, you can select a class and modify its description and behavior. The IP address can be modified. The class can be defined to include anonymous, guest and/or real users from that address. Checking the Autogroup to box causes logins in the class to be assigned to the selected group and given its privileges. The right side of the panel allows classes to be assigned limits on the number of simultaneous logins during specified times. You can also specify the message to be shown when the user limit is exceeded. In the screenshot, real users logging in from 127.0.0.* are autogrouped to jsinger and only one user in that class is allowed at any time. The Directories Panel The Directories Panel The Directories Panel This panel allows you to specify the root directory for anonymous and guest users. (Real users see the real filesystem.) It also allows you to specify the password and shadow password files to be used. If no file is specified, the system file will be used by default. In the screenshot, anonymous users see a filesystem rooted at /home/ftp/pub, while guest users have default access. Special ftp password files are used in place of the system files. The Security Panel The Security Panel The Security Panel This panel allows you to specify various security options. The Noretrieves window allows certain files or directories to be blocked from downloading. Hit the Add button and select the file to be blocked. Select an entry and hit Remove to take the file off the list. Number of allowed failed logins causes connections to be closed after the specified number of login failures. Checking Permit SITE GROUP allows users to change the group they belong to with the SITE GROUP command. Permission to use the chmod, delete, overwrite, rename and umask commands can be extended or denied to anonymous, guest and/or real users. Anonymous users are expected to supply their email address as a password. The degree of enforcement can be controlled. No There is no checking of the given password. trivial The password must contain an @ character. RFC822 The password must be in the form of a valid address. If the Enforce box is checked, logins failing the test will be denied; otherwise a warning will be issued. In the screenshot, the /bin and /sbin directories and the /etc/passwd file are blocked from downloads. Connections are dropped after 5 failures, SITE GROUP is forbidden, commands are forbidden to anonymous users and allowed for guest and real accounts. Anonymous users submitting non-RFC-compliant email addresses are warned. The Messages Panel The Messages Panel The Messages Panel This panel allows you to specify messages to be shown to the logged-in user. Select a file for the banner to be displayed on connection (before login). Some extremely old &FTP; clients may be confused by a banner. The hostname can be specified. This will be reported to the user upon login, and can also be inserted in other messages (as %L). If no hostname is given, the real hostname will be used. Similarly, an administrator email address can be defined for insertion in messages (as %E). Check the boxes to cause messages and READMEs to be shown to the user every time the triggering event (explained below) occurs; otherwise they will only be shown the first time. Hit the Add Message button to indicate text to be displayed to the user. You will be prompted for the location of the text file, whether it will be displayed on login or on change to a specified directory and whether it will be displayed for all user classes or particular ones. Similarly, the user can be notified of README files upon login or change to a directory. In the screenshot, the text in /home/ftp/welcome.txt will be displayed on connection. The hostname camelot and the admin address jsinger@leeta.net will be inserted in messages but no messages or READMEs have been defined yet. The Logging Panel The Logging Panel The Logging Panel This panel allows you to to control what activities will be logged (to /var/log/xferlog). Anonymous, guest and real users can have different events logged, including issued commands, uploads, downloads and security violations (like login failures). Checking Redirect log to syslog sends the log entries to the system log instead of the &FTP; log. Mail can be sent to the administrator when files are uploaded. The From: address of the mails, the mail server and the administrator's email address can be specified. In the screenshot, all commands and transfers are logged, as are security violations by real users. Uploads are signalled by a message to admin from Upload Notice sent through the default mail server. The Ratios Panel The Ratios Panel The Ratios Panel This panel allows you to restrict the usage of anonymous and guest users. Each of these restrictions can be applied to anonymous or guest users. Upload/download ratio For example, setting this to 1:5 requires users to upload 1 megabyte of data for each 5 megabytes downloaded. Setting this to an optimum value is key to your success as an aspiring w4r3z kiddi3. Time limit Allow users to connect for this amount of time. Upload limit Set the maximimum number of bytes that can be uploaded per session. Download limit Set the maximimum number of bytes that can be downloaded per session. Files and directories can be exempted from upload and download limits. In the screenshot, ratios are off, anonymous users are allowed 15 minutes and 10 megabytes of downloads per connection. The Uploads Panel The Uploads Panel The Uploads Panel This panel allows you to control where and how users are allowed to upload files. Hit Add to a new rule set, Edit to modify the selected set and Delete to remove the selected set. Each set applies to users with a specified root directory and effects a specified upload directory. The upload directory may be globbed (for example, /home/ftp/upload/* includes all contents of /home/ftp/upload). Uploads can be permitted or denied, and the permissions of the created files and their owner and group can be set. The ability to create new directories within the existing directory can be granted or denied. The Virtual Hosts Panel The Virtual Hosts Panel The Virtual Hosts Panel The following items can be specified for each address: Root directory What the logged-in user sees as the filesystem root (/). Banner A file whose contents will be displayed to the user upon connection. The file location is relative to the root set above. Logfile Transfers will be logged to this file. Passwd file An alternate password file can be specified. Otherwise the system password file will be used. Shadow file An alternate shadow password file can be specified. Otherwise the system shadow password file will be used. Hostname The hostname displayed upon login and inserted as %L in message files. Administrative email The email address to be inserted as %E in message files. Anonymous logins can be allowed or denied. Real users can be allowed or denied access to the virtual server. Specific user can also be allowed or denied access. In the screeenshot, the virtual host 211.22.55.114 has a filsystem rooted at /home/ftp/virtual on the real system. It uses separate password and shadow password files in /home/ftp, displays the hostname ganesh and the admin address root and allows anonymous logins and logins from all real users. &kwuftpd; Application written by Bernhard Rosenkraenzer bero@redhat.com, and is copyright 2000 &RedHat;, Inc. Documentation copyright 2000 by Jonathan Singer jsinger@leeta.net. &underFDL; &underGPL; &kwuftpd; is part of the KDE 2.0 base packages. It will automatically be installed with your KDE installation and requires KDE 2.0 to function. For more information, you should visit the KDE website at http://www.kde.org. To obtain &kwuftpd; separately, it is part of the kdeadmin package, and should be compiled and installed as indicated in the package's main directory. New versions of kdeadmin can be obtained at ftp://ftp.kde.org/pub/. To build &kwuftpd; % cd kdeadmin/kwuftpd % ./configure % make Then as root: # make install You also require an ftpd that can handle the generated ftpaccess files - &kwuftpd; was written for wu-ftpd 2.6.1 (ftp://ftp.wu-ftpd.org/pub/wu-ftpd/) You can use the files with wu-ftpd 2.5.0 as well, but don't expect all the features to work.