InformationWeek 500 Conference -- September 14-16, 2008 Registed Today!

IMMERSE YOURSELF:

Storage & Servers

Chapter 5: Deploying Web and FTP Servers (Part Two)

June 5, 2000

Brought to you by:

Table of contents:

Got a tough Linux deployment question?
Ask the experts!

For a limited time, you can put the authors of "Deploying Web and FTP Servers" to the test. Post your question, and if they answer it, you'll receive a free Network Computing collectable. Click here for more info.

Deploying an FTP Server

While FTP servers are less prevalent in the current web browser driven Internet, they are still the primary method of distributing very large files and maintaining large stores of files. This section will demonstrate how to deploy an effective anonymous FTP server which modern web browsers will be able to access directly. As we said right at the beginning of the chapter, we will be installing the server developed by Washington University, WU-FTP, which can be downloaded from http://www.wu-ftpd.org. For more information on WU-FTP, look up http://www.landfield.com/wu-ftpd/.

Installing WU-FTP

To install WU_FTP, you will need to carry out the following procedure:

1. Download WU-FTP and extract to /usr/local

2. Type ./build CC=gcc lnx � Note that to build the ftpd daemon, you might have to install the byacc utility first, which contains the yacc parser.

3. Type ./build install

4. We need tell Linux to use WU-FTP for FTP requests by editing /etc/inetd.conf. Look for a line beginning ftp, and make sure it is uncommented. Then edit it to look like this:

ftp stream tcp nowait root /usr/local/wu-ftpd ftpd -laio

5.    Type ps -uax | grep inetd, which will produce a listing of system processes with the word inetd in the title. You should get output like this:

root       354 0.0 0.4 1252 528 ?        S    Oct21   0:00 inetd
root     19048 0.0 0.3 1152 440 pts/2   S    19:31   0:00 grep inetd

The first of the two is of importance to us (the second merely being the search just carried out). What the listing does is provide us with the process ID (PID) which is 528 in the above case.

6. Restart inetd by typing kill -HUP PID, where PID is the process ID listed from step 5.

The latest download of WU-FTP comes with a configure script. It can be installed, from the wu-ftp-version directory, using the ./configure, make, make install sequence of commands as in the other installations in this chapter.

There we have it! The Washington University � File Transfer Protocol daemon is installed and ready for action! We can check the installation by typing ftp www.trampolining.net, or whatever your hostname/IP address is. You should be presented with a login screen, and you will be able to log in using a standard Linux user account and password set up on your system.

connected to www.trampolining.net.

220 www.trampolining.net FTP server (Version wu-2.6.0(1) Fri Nov 12 11:43:54 GMT 1999) ready.

Name (www.trampolining.net:none):

Configuring WU-FTP

To provide access to the general public we need to allow anonymous access. Before doing this, we need to create a safe directory for anonymous users, which will appear to them as the root of the FTP server. This prevents anonymous users browsing around your machine to obtain private information! We also need to create an user account for anonymous FTP users to use.

Creating an FTP directory

We will create our FTP directory in /home/ and adopt a traditional directory structure:

mkdir /home/ftp

mkdir /home/ftp/bin

mkdir /home/ftp/etc

mkdir /home/ftp/pub

The first, /home/ftp, will be the root directory of our anonymous FTP server. /home/ftp/bin will contain links to commands we want to allow FTP users to use, in particular ls (to list the contents of a directory) and cd (to change directory). /home/ftp/etc is present to hold a password file if necessary and /home/ftp/pub/ is the public directory which contains the files we are making available.

All directories and files within this structure should be owned by root, and none of them should have Group or All write permissions. This will prevent the user editing any of the files � by editing the contents of /home/ftp/bin/, a user could execute any code on your machine. All the directories should have All read and execute permissions, to allow users to enter the directory (execute permission) and read the contents (read permission). Finally, all the files contained should have All and Group read permissions only � this will allow users to download files, but not change or execute them on your server.

You may require the creating of yet another directory, as follows:

mkdir /home/ftp/incoming

This directory is special in that it is available for users to upload files to. For this reason, it must have Group and All write permissions and but not Group and All read permissions which will prevent users viewing the contents of this directory. While this is the standard way to implement two-way FTP access, it does pose a security risk � users could potentially upload illegal files and use your server to store them. It is a serious policy decision whether or not to provide this service � if you do, be sure to set a umask to prevent uploaded scripts being executed. A slightly more secure system involves removing All write permissions from this directory too, then creating subdirectories with full read, write and execute permissions � these can then be accessed by 'trusted users'. Anyone you have not told the location of these folders to should be unable to find them, since /home/ftp/incoming cannot be listed � there are no read permissions for All.

To summarize, this is how I suggest that you set the access permissions for your FTP site:

drwxr-xr-x root root bin/

drwxr-xr-x root root etc/

drwx--x--x root root incoming/

drwxrwxrwx root root incoming/secret

drwxr-xr-x root root pub/

-rwxr--r-- root root pub/any.file

drwxr-xr-x root root etc/

Configuring Linux for WU-FTP

The most important change is to modify the main Linux /etc/passwd file to ensure the anonymous FTP user is limited to /home/ftp/pub. Open the file for editing, you should see a listing like this:

ftp:x:14:50:FTP User:/home/ftp:

nobody:x:99:99:Nobody:/:

gdm:x:42:42::/home/gdm:/bin/bash

xfs:x:100:233:X Font Server:/etc/X11/fs:/bin/false

username:x:500:500::/home/username:/bin/bash

If no FTP user exists, use the root command adduser to add ftp. The important line begins with ftp, which contains the user settings for FTP User. Note there is no entry after the final colon. This ensures no command shell is made available to the FTP User. To force /home/ftp/ to be treated as root directory, we edit this line slightly, adding a decimal point where we want the user to be rooted. The final /pub ensures they are initially placed in that directory:

ftp:x:14:50:FTP User:/home/ftp/./pub:

nobody:x:99:99:Nobody:/:

gdm:x:42:42::/home/gdm:/bin/bash

xfs:x:100:233:X Font Server:/etc/X11/fs:/bin/false

username:x:500:500::/home/username:/bin/bash

Finally, we need to create a set of configuration files for WU-FTP in /etc. Luckily there is no need to create them by hand, as WU-FTP distribute a default set with the program, which will prove fine for our anonymous server. We will copy these default files to /etc:

# cd /usr/local/wu-ftpd

# cp ftpaccess ftpusers ftpconversions ftpgroups ftphosts ftpusers /etc

We can implement an extra security touch. In /home/ftp/ type:

# touch .rhosts .forward

# chown root .rhosts .forward

# chmod 400 .rhosts .forward

There are some final modifications which are not strictly necessary but make anonymous access that little bit easier. Hard linking /home/ftp/bin/ls to point to /bin/ls will allow clients to list the directory through FTP. Make sure that the owner is root and it has group, owner and all execute permissions only. Copying /etc/passwd and /etc/netconfig into /home/ftp/etc/ will provide the replace the user and group IDs for each file and folder with their corresponding names. However these files contain far too much sensitive information and need editing. Only groups and users owning files within the FTP directory should be left in, and password information should be left out � there should just be an x after the user name, not a random string of characters. Anonymous access should now be available.

Making your Servers Persistent

In the event that your Linux machine crashes or loses power, the priority is to get the machine serving requests as quickly as possible. This can be eased greatly if the system has been designed to recover from a crash ‑ if the services start themselves on boot up, it can save a great deal of time trying to remember what needs to be started!

There are two main services that need special attention in order to enable autostart. First, we need to make sure the network is ready for requests. The ifconfig utility must be configured for each virtual host. We can make this automatic by editing /etc/rc.d/rc.local, or the equivalent file for your Linux distribution. At the end of this file we append all the commands we used originally when we set up the virtual hosts:

# setting up IP masquerading for virtual hosts

echo "setting up IP masquerading for virtual hosts"

ifconfig eth0:0 123.123.123.123

route add -host 123.123.123.123

The other service we need to start is the Apache web server. Again we will start this by appending the setup command to a boot file. Editing the boot script of the machine is a simple way to do this. You could create a startup script in init.d (called apache) and link to it from S20apache in rc2.d. A sample file follows:

#!/bin/bash

#(@) A startup and shutdown script for Apache

case "$1" in

start)

# Starts Apache Server

echo -n "Starting Apache Web Server"

/usr/local/apache/bin/apachectl start

;;

stop)

# Stops Apache Server

echo -n "Stopping Apache Web Server"

/usr/local/apache/bin/apachectl stop

;;

restart)

# Restarts Apache gracefully

echo -n "Restarting Apache after serving current web requests"

/usr/local/apache/bin/apachectl graceful

;;

# Incorrect parameter

echo "Usage: $0 start | stop | restart"

exit 1

esac

exit 0

You can create the symbolic link by changing directory to rc<n>.d (where <n> is your runlevel - usually 3, but you might also want to create one in rc5.d if you use a graphical login.) Create the link by entering ln -s /etc/rc.d/init.d/apache /etc/rc.d/rc3.d/S20apache.

Summary

In this chapter you have learned how to install the highly popular Apache web server and configure it to meet your requirements and set up virtual hosts. You were shown how to install and configure the ApacheJServ servlet as well as how to modify your Apache configuration to make use of SSI and CGI. Other newer powerful technologies such as mod_perl and JSP were also briefly discussed. You were also instructed in the setting up and configuration of one of the main open source FTP applications WU-FTP.

In addition to setting up the servers, this chapter also covered an important administrative task, namely the analysis of the server logs files, with some discussion on manual analysis using command line tools and automatic analysis using the free Analog tool. Finally you learnt some tips on server persistence � by making minor alterations to system files you can restart Apache on reboot and have it ready to receive requests.

For a discussion on the advanced configuration of Apache, and for other information on Apache itself, ApacheJServ and JSP, see Professional Apache.