Restricting FTP Access

Edit: Some links no longer work.

Originally posted September 24, 2013 on AIXchange

A customer was trying to restrict user access to a particular directory on an AIX system when FTP was used. We came across two good options.First, I recalled this exchange on Twitter:

            sungokcho: RT @ibmaix: #AIX #tip to restrict ftp user to a given directory use /etc/ftpaccess.ctl. It is useful if the user connects via winscp (via @JuanMDia35)

This 2009 post covers the same thing. And here’s some detailed information:

            ftpaccess.ctl File

            The /etc/ftpaccess.ctl file is searched for lines that start with allow:, deny:, readonly:, writeonly:, readwrite:, useronly:, grouponly:, herald: and/or motd:. Other lines are ignored. If the file doesn’t exist, then ftp access is allowed for all hosts. The allow: and deny: lines are for restricting host access. The readonly:, writeonly: and readwrite: lines are for restricting ftp reads (get) and writes (put). The useronly: and grouponly: lines are for defining anonymous users. The herald: and motd: lines are for multiline messages before and afterlogin.             

The syntax for all lines in /etc/ftpaccess.ctl is in the form:

            keyword: value, value, …

            where you can specify one or more values for every keyword. You can have multiple lines with the same keyword. The lines in /etc/ftpaccess.ctl are limited to 1024 characters, anything more than 1024 characters will be ignored.

            The syntax for the allow: and deny: lines are:

            allow: host, host, …

            deny: host, host, …

           If an allow: line is specified, then only the hosts listed in all the allow: lines are allowed ftp access. All other hosts will be refused ftp access. If there is no allow: line, then all hosts will be given ftp access except those hosts specified in the deny: line(s). The host can be specified as either a hostname or IP address.

            The syntax for the readonly:, writeonly: and readwrite: lines is:

            readonly: dirname, dirname, …

               writeonly: dirname, dirname, …

            readwrite: dirname, dirname, …

            The readonly: lines list the read-only directories and the writeonly: lines list the write-only directories. Read access is denied in a write-only directory and write access is denied in a read-only directory. All other directories are granted access except when a readwrite: line is specified. If a readwrite: line is specified, only directories listed in the readwrite: line and/or listed in the readonly: line are granted access for reading, AND only directories listed in the readwrite: line and/or listed in the writeonly: line are granted access for writing. Also, these lines can have a value of “ALL” or “NONE”.

            The syntax for the useronly:, puseronly:, grouponly:, and pgrouponly: lines is:

               useronly: username, username, …

            puseronly: username, username, …

            grouponly: groupname, groupname, …

            pgrouponly: groupname, groupname, …

Although we found that we could control users with this method, we were looking to do more, so we researched vsftpd and were able to install packages from Perzl.org. (I wrote about installing packages from Perzl.org earlier this year.)                           

From this page we found that vsftpd “supports standard FTP and secure FTPS protocols. Built-in mechanisms allow implicit and explicit mode of FTPS. Security is achieved by using of external SSL library, which simplify the source code of the server. An unusual feature is the ability to force anonymous connections through SSL encryption, thus increasing overall security of anonymous file transfers. SSLv1, SSLv2 and TLS protocols are provided. Optionally validation of client certificates can be configured. The access of users can be controlled by deny and enable lists. The server can be configured to generate detailed activity logs – the log format may be verbose or compatible with wu-ftpd format.”

In our case we edited the configuration file as follows:

            anonymous_enable=NO

            local_enable=YES

            ftpd_banner=”FTP Access”

            local_root=/tmp/transferfiles

            write_enable=YES

            secure_chroot_dir=/home/jail

            idle_session_timeout=3600

            file_open_mode=0777

            local_umask=022

This provided the functionality we were looking for.

Finally, some recent conversation from @rmcnelly on Twitter:

Chris Gibson ‏@cgibbo New VIOS tunables with v2.2.2.2.
https://www.ibm.com/developerworks/community/blogs/cgaix/entry/new_vios_tunables_with_v2_2_2_2?lang=en … #VIOS #AIX #PowerVM

Rob McNelly ‏@robmcnelly 21 Sep
Is string theory right? Is it just fantasy? Out of touch with reality?
http://www.youtube.com/watch?v=2rjbtsX7twc

Nigel Griffiths ‏@mr_nmon 19 Sep
FAQ4: Hostnames short or long? The answer is long and mandatory and don’t user underscore either See AIXpertBlog
https://www.ibm.com/developerworks/community/blogs/aixpert/entry/faq4_hostnames_short_or_long?lang=en

Chris Gibson ‏@cgibbo 18 Sep
What’s next from #Powersystems? Join us on October 8th to find out! http://www.ibm.com/smarter-computing/us/en/readynow/webcast.html …

Nigel Griffiths ‏@mr_nmon 18 Sep
Enterprise2013 = Power Technical Uni Orlando Oct21-25 New products will be explained SSP4, PowerXX & Power## http://www-03.ibm.com/systems/enterprise/ … CU there

Jay Kruemcke ‏@chromeaix 13 Sep Oracle ASM and IBM #FlashSystem best practices http://ow.ly/oQeDk

Nigel Griffiths ‏@mr_nmon 17 Sep
IBM pledges $1Billion for #Linux & specifically for Linux on POWER see Wall Street Journal blog
http://blogs.wsj.com/digits/2013/09/16/ibm-again-pledges-1-billion-to-a-linux-effort/ … PowerSystems #POWER7

Rob McNelly ‏@robmcnelly 13 Sep
You can get an #IBM badge if you hang around the offices long enough: http://imgur.com/uywR5QB