From: Margaret_Greaney [mgreaney@fsgi02.FNAL.GOV]
Sent: Monday, November 22, 1999 4:53 PM
To: crawdad@fnal.gov
Cc: dane@fnal.gov; lisa@fnal.gov; kschu@fnal.gov; kaletka@fnal.gov;
mgreaney@fsgi02.FNAL.GOV
Subject: you asked for notes on how fnppd anon was set up

Notes on set up of anonymous ftp service on fnppd	11/22/99 M. Greaney

Fnppd is an Origin 2000, running O.S. IRIX 6.5.4m.

1. Define user's requests for the features of the service.
2. Obtain wu_ftpd, extra disks.
3. Review the documentation on how to set up the service.
4. Configure ww_ftpd and test it.
5. Notify users of changes to ftp service.
6. Other changes

1. Users wanted a writeable dropoff area as a feature of the
anonymous ftp on fnppd and for this purpose, allocated the 
use of extra disks.	One disk was to be set up as the 
incoming/dropoff area, and the other for the /pub area.

Dane Skow provided the general scheme to set up permissions
for the anonymous ftp service and for users on the fnppd side.

Dane also provided the pointer to a program called blockdays.
This program, written by Randy Herber, allows for the automatic
removal or cleanup of the files in the dropoff or pub areas.

2. Marc Mengel recommended the wuftpd daemon for the ftp service.
This was available via upd install and was currently at version
v2_6_0 in KITS on fnkits.fnal.gov. Marc indicated he kept the
compiled version at current patch levels.

The EPP group allocated 2, 18-GB disks for the pub and dropoff areas.

3. The web pages for setting up a secure ftp were reviewed. These
were found at:

ftp.cert.org/pub/tech_tips/anonymous_ftp_config
www.cetis.hvu.nl/~koos/wu-ftpd.faq.html

Also reviewed Chapter 7 in "Actually Useful Internet Security
Techniques" by Larry Hughes, Jr., which also recommends wuftpd
as a ftp service daemon.

Other web pages were reviewed but ones above were used.

An entry in /etc/passwd was created for the ftp login such that
no one was using the UID:GID and that there was no login shell:

ftp:*:30000:30000:Anonymous FTP:/exports/home/ftp:/usr/local/bin/nosuchshell/

The installation notes for wu_ftpd were in wu_ftpd/v2_6_0/src.
All of the README files in that directory were reviewed.

4. It was unnecessary to compile the wu_ftpd, because it was a ups
product, but some configuration
was needed. The /etc/inetd.conf and /etc/ftpd/ftpaccess were edited.

sample of /etc/inetd.conf:
#comment out the old ftp service
#ftp    stream  tcp     nowait  root    /usr/etc/tcpd   ftpd -l
# newer ftpd product...
ftp    stream  tcp     nowait  root    /fnal/ups/prd/wu_ftpd/v2_6_0/IRIX-6/sbin
/in.ftpd in.ftpd -v -a
#

Sent an interrupt to the inetd process.
ps -ef | grep inetd; kill -HUP inetd (or PID of inetd)

The install of the wu_ftpd put files in /etc/ftpd. The file
to edit was ftpaccess.  Here is an example of /ftpaccess:

#----------------------------------------------------------------
# This file came from fnkits.fnal.gov and was modified 11-5-99
#
class   local   real,anonymous  *.fnal.gov 
#
# --------------------------------
limit   local 100   Any
# --------------------------
chmod no anonymous
delete no anonymous
overwrite no anonymous
rename no anonymous
umask no anonymous
#outsiders
chmod no class=remote
umask no class=remote
# anybody can do tar and compression
compress        yes      * 
tar             yes      *
upload /exports/home/ftp *              no
#upload /exports/home/ftp /incoming/dropoff     yes anonymous ftpgrp 0440 
nodirs
upload /exports/home/ftp /incoming/dropoff      yes anonymous ftpgrp 0404 
nodirs
upload /exports/home/ftp /pub           no ftpgrp 0440 nodirs
# this prevents downloads on incoming
noretrieve /exports/home/ftp/incoming/dropoff
#
private yes
passive port * 2000 3000
autogroup upd local
autogroup upd gupd 
autogroup upd registeredhost
message /etc/welcome.msg        login
# ------------------------
class   remote  real,anonymous  *
log commands anonymous,real
log transfers anonymous,real inbound,outbound
#________________________________________________________



Matt Crawford provided a suggestion and the configuration for an ftpgrp,
which helped circumvent the problem of adding a long list of user's
login names to /etc/group.
Also some permissions were changed on the directories so that
users could list the contents of the dropoff area.

A group named ftpgrp was created in /etc/group. The ftp login was
added as the only member:

ftpgrp:*:30001:ftp

(The incoming/dropoff and pub areas were mounted with the same permissions
as listed below. Entries were made for them in /etc/fstab.)

The following list indicates the permissions and ownerships
on the files in the ftp area:

drwxrwxrwx    2 root     sys           30 Nov 22 14:05 pub
drwx--xr-x    3 root     ftpgrp        25 Nov  5 16:16 incoming
d--x--x--x    3 root     sys          128 Nov  5 09:46 etc
dr-xr-xr-x    2 root     sys           22 Oct 28 15:41 dev
dr-xr-xr-x    2 root     sys           39 Oct 28 15:40 lib
d--x--x--x    2 root     sys           20 Oct 28 15:40 bin
d--x--x--x    2 root     sys            9 Oct 28 15:19 usr

ftp/pub:
total 8
-rw-r--r--    1 guest    guest       1998 Nov 22 13:56 testcopy

ftp/incoming:
total 0
drwx-wxrwx    2 root     ftpgrp        91 Nov 22 13:49 dropoff

ftp/incoming/dropoff:
total 32
-r--r--r--    1 root     ftpgrp      1993 Nov 22 13:21 testdcc

ftp/etc:
total 48
-r--r--r--    1 root     sys          186 Nov 11 10:18 passwd
-r--r--r--    1 root     sys         1532 Nov 11 09:19 welcome.msg
-r--r--r--    1 root     sys          911 Nov  5 09:46 nsswitch.conf
-r--r--r--    1 root     sys          463 Nov  5 09:45 TIMEZONE
-r--r--r--    1 root     sys          636 Nov  5 09:44 protocols
drwxr-xr-x    2 root     sys           27 Nov  2 17:10 ftpd
-r--r--r--    1 root     sys           22 Oct 28 16:06 group

ftp/etc/ftpd:
total 8
-rw-r--r--    1 root     sys         1584 Oct 28 17:49 ftpaccess

ftp/dev:
total 0
cr--r--r--    1 root     sys        37,  0 Oct 28 15:41 zero

ftp/lib:
total 5384
-rwxr-xr-x    1 root     sys        482868 Oct 28 15:40 rld
-r-xr-xr-t    1 root     sys       2270300 Oct 28 15:40 libc.so.1

ftp/bin:
total 64
---x--x--x    1 root     sys        31888 Oct 28 15:40 ls

ftp/usr:
total 0



The directions in the wu_ftp README pages were followed to set up
the files under ~ftp in etc, dev,lib, bin and usr.

Because the wu_ftpd is not wrapped by tcp wrappers, a copy of the 
FERMILAB banner was put in the etc/welcome.msg.
the wu_ftpd is not wrapped by tcp_wrapper

5. There is one major change in switching from regular ftp to wu_ftpd,
and that is users cannot login with user/passwd but have to use
anonymous,e-mail_address as the user/passwd combination. It is
important to let users know that the ftp usr cannot see the directory
listing in ~ftp/incoming and have to know in advance where they
can put their files.  The permissions do allow users to do a directory
listing on the regular login.

6. The cleanup program blockdays was obtained from Glen Cooper 
(gcooper@fnal.gov).
The program was installed in /usr/local/admin/blockdays. A cron entry
runs every 1/2 hour to clear out files so that there is always 35%
free space. This program is adjustable and logs the files that are
removed.  Contact Randy Herber for support (herber@fnal.gov).

The security group was asked to do a security audit on the fnppd
service and indicated that the service passed the audit.

If there is a problem and the service need to be shut off quickly,
login as root, comment out the entry in 
/etc/inetd.conf and send an interrupt to the inetd. Also comment out 
the entry for the ftp account in /etc/passwd.