Next Previous Contents


Config options for the bftpd configuration file


Below are a list of options reconized by the bftpd server. These options and their values may be stored in the bftpd configureation file. This file is named /etc/bftpd.conf by default. Please note that all values must be given between quotation marks. For example, the following is correct:

PORT="21"

However, this is not correct:

PORT=21

Please also note that options should always be in UPPER CASE.


There are two main parts to the bftpd.conf file. The first is the global section. This lays out the default values which are used by the server. The second section is the users section. This should always be appended at the bottom of the bftpd.conf file. The users section provides over-ride values for specific users. For example, by default the bftpd.conf file sets DENY_LOGIN to "no", which allows all users to login. This value is set in the global section. However, also by default, DENY_LOGIN is turned on in the users section for the user root. This prevents someone from logging in to your bftpd server using the root account.


Now, without further delay, let's take a look at the options the bftpd server supports. These will be broken down by the name of the variable, a brief description and possible values.


Name: DENY_LOGIN

Description: This option instructs bftpd to either deny login attemps or to allow logins. It is recommended root access be restricted using this option.

Values:
"no" - allow login attempts
"yes" - prevent a user from logging in
"Reason for denying access." - Deny access to the server and tell the client why.


Name: PORT

Description: This is the port number where the server should listen for incoming connections. This is for daemon mode only.

Values:
"21" - default


Name: PASSIVE_PORTS

Description: You can force bftpd to use a specific port range in passive mode. Passive mode means that the client will open data connections and the server stays 'passive'. This option can be very useful with some firewall configurations. Seperate values with "," and define ranges with "-". bftpd will try to bind one of these ports in ascending order as you specify them here. If none of the given ports could be bound, the connection is is refused. If you want to bind any free port in that case, add "0" to the list.

Values:
"0" - (zero) default
"10000-20000" - use ports 10,000 to 20,000
"15000-20000, 25000-30000" - use ports 15,000 to 20,000 and 25,000 to 30,000.


Name: DATAPORT20

Description: If PORT data connections should be opened from port 20, say yes here. You will probably need this if your server is behind a firewall that restricts outgoing packets from ports higher than 1024. Note that this may be a security hole, as the server can not drop its root privileges completely if you say yes here.

Values:
"no" - default. This is recommended for security reasons.
"yes" - enable data port 20. Recommended for dealing with firewalls which restrict out-going connections above port 1024.


Name: ADMIN_PASS

Description: The password which will be used by the system administrator to monitor and manage the bftpd server. The admin interface is not finished and, at this time, the password should remain as "x".

Values:
"x" - default and recommended.


Name: INITIAL_CHROOT

Description: With this option, you can put your entire FTP environment into a chroot jail. Apart from security, this offers you the possibility of having virtual users that don't exist in the system. Additionally, you can make some kind of 'file pool' by creating a directory with files which you can symlink from the users' homes (this means setting DO_CHROOT=no in order for the users to be able to access that dir. Note that you need the following files in your initial chroot directory: /etc/passwd, /etc/shadow, /etc/group On GNU systems, you will also need the NSS libraries in /lib.

Values: This option is disabled by default. You should give an existing directory path if you wish to setup a traditional, secure ftp environment.


Name: PATH_BFTPDUTMP

Description: The bftpdutmp file allows you to record user logins and logouts. This is useful should you wish to restrict the number of users/computers logged in at the same time. Should you wish to run bftpd without these security features, you can set the path to an empty string.

Values:
"/var/run/bftpd/bftpdutmp" - default
"" - disable the log file.


Name: XFER_BUFSIZE

Description: This option controls the buffer size while transferring files. If you are on a very fast network (fast meaning 100 Mbit/s or more), you should set this to 64000 or something like that. Transferring from localhost to localhost, I had a transfer speed of approx. 15 MB/s with XFER_BUFSIZE=2048 and a speed of approx. 20 MB/s with XFER_BUFSIZE=64000. You should set smaller values for this if you have slow (dialup) clients. This option can also be used to (crudely) throttle back transfer speeds. Setting this to a very low value can slow transfer speeds.

Values:
"2048" - default


Name: XFER_DELAY

Description: This option allows you to add a delay (in microseconds) to the time between when one piece of data was sent and when the next will be sent. This is to aid in throttling bandwidth and applies to each client. The throttling effects the DATA transfers only (not control connections). A value of zero (0) means there is no added delay. A value of about 500000 (five hundred thousand) should delay for about half a second. These delays should be kept low to avoid triggering data transfer timeouts.

Values:
"0" - default (no delay)


Name: ALLOW_FXP

Description: When set to yes, this option makes the server allow data connections which don't go to the client who initiated them. This is needed for FXP. It is recommended this option be left disabled.

Values:
"no" - default (recommended)
"yes" - allow data connections which go to third party clients.


Name: CONTROL_TIMEOUT

Description: This option sets the amount of time a client may be connected without sending any control commands. The value is the number of seconds bftpd will wait for a command before dropping the connection.

Values:
"300" - default (wait five minutes)


Name: DATA_TIMEOUT

Description: This option sets the amount of time a client can be idle during a file transfer. The value is given in seconds. This option should usually be over ten, but below sixty. This allows for slow dial-up connections, without leaving stale connections too long.

Values:
"30" - default (wait thirty seconds)


Name: RATIO

Description: Use Ratio if you want the client to send a file before he can get a file. The format for this option is "upload/download". For example, "2/1" will allow the client to download 1MB of data if they first upload 2MB of data.

Values:
"none" - default. Do not restrict downloading.
"2/1" - allow 1MB download for every 2MB uploaded to the server.


Name: ROOTDIR

Description: ROOTDIR specifies the root directory of the client. It defaults to %h (the user's home directory). "%u" is replaced by the user name. This is handy if you have a set of sub-folders for bftpd to use. For example, /var/ftp/username/
This value should probably be set to some special value in the anonymous user's specific settings at the bottom of the config file.

Values:
"%h" - (default) login to the user's home directory.
"%u" - this symbol will be replaced by the client's username.


Name: UMASK

Description: Umask for the files or directories users create.

Values:
"022" - (default) New files are created with the permissions 755.


Name: LOGFILE

Description: This option gives the path of the file where bftpd will log general information. This includes files sent or received, login attempts and logouts. It is possible to use the system log by using the keyword "syslog" here.

Values:
"/var/log/bftpd.log" - default
"syslog" - send log data into system log.
"" - do not save log information to a file.


Name: HELLO_STRING

Description: This option tells bftpd what greeting to send clients when they first login to the server. You can use any string which fits on one line. Also, you can use three embedded symbols (%h, %i, %v) to provide extra information. The %h symbol will be replaced by the server's host name, %i is replaced by your IP address and %v will display bftpd's version number.

Note: If you use the "%h" option and you do an inital CHROOT, then you'll need to copy your /etc/hosts and /etc/host.conf files into the chroot jail.

Values:
"bftpd %v at %i ready." - default (Show version and server's IP address)
"Welcome to bftpd at %h" - display welcome message with server's name.


Name: AUTO_CHDIR

Description: This option tells the bftpd server in which directory it should start. The directory path is relative to any chroot jail.

Values:
"/" - (default) go to the root directory of the current environment.
"/ftp" - start in the ftp directory


Name: AUTH

Description: This option tells bftpd which type of password authentication to use. Currently PAM and standard passwords are availible.

Values:
"PASSWD" - (default) use basic password checking.
"PAM" - use PAM verification.


Name: FILE_AUTH

Description: This option, when set, tells bftpd to ignore the AUTH variable and use a plain text file to authenticate users. The value should point to a text file, readable to the bftpd server. See the values section for the file format. The bftpd server will search through the text file for names matching the client's username. If a match is found, the client's password is checked against the one in the local text file.
WARNING: This option should be used very carefully and only in situations where you wish to over-ride your regular system security!

Values:
The text file should contain the format shown here:
username password group home_directory

Where username and password must match those sent by the client. Otherwise login is refused. The group should be the user's regular group and home_directory is where the client will be chrooted. For example:
john secret users /home/john
jane mypassword users /home/jane/ftp


Name: RESOLVE_CLIENT_IP

Description: Enable this if you want the client's IP address to be resolved to a host name. Note that it increases the overhead and it may not work if your DNS is not configured correctly. Clients without a valid DNS name will take very long to connect.

Values:
"no" - default and recommended setting
"yes" - resolve client host names, when possible


Name: MOTD_GLOBAL

Description: This option tells bftpd where the "message of the day" file is stored. The content of this file (if it exists) is sent to the client before they login.

Values: "/etc/ftpmotd" - default


Name: MOTD_USER

Description: The path to a "message of the day" file. The content of this file (if it exists) is sent to the client after a valid login. This path is relative to the user's root directory.

Values:
"/.ftpmotd" - default


Name: RESOLVE_UIDS

Description: If this option is enabled, user and group names are shown in directory listings instead of plain user/group ID numbers. This may slow down large directory listings.

Values:
"yes" - (default) show user and group names.
"no" - show user and group numbers.


Name: DO_CHROOT

Description: When this option is enabled ("yes") the client can not access any directories outside of the chroot jail. Disabling this feature ("no") is considered a serious security hole.

Values:
"yes" - (default) recommended to contain the user to their home directory.
"no" - (not recommended) this will allow the client to access any directory on the server.


Name: LOG_WTMP

Description: Enable this to log each login to wtmp. This can be useful for checking security issues.

Values:
"yes" - (default) Send login information to wtmp.
"no" - Do not log to wtmp.


Name: BIND_TO_ADDR

Description: If you would like bftpd to bind itself to one specific network interface, enter its IP address here. You can use the value "any" to take the first availible network interface. This option works in daemon mode only.

Values:
"any" - (default) Take the first availible network device.
"your IP address here" - try to bind to a specific address.


Name: PATH_FTPUSERS

Description: This option gives bftpd the path to a file (ftpusers) which contains a list of users which may not login to the server. If you want anyone to be able to login, you can put a non-existant filename here.

Values:
"/etc/ftpusers" - default


Name: AUTH_ETCSHELLS

Description: Enable this if you want to deny any user who has a shell which is not in /etc/shells.

Values:
"no" - (default) allow any user to login
"yes" - Deny login attemps to users with a shell not found in /etc/shells


Name: ALLOWCOMMAND_

Description: With the option ALLOWCOMMAND_XXXX, you can disable the command XXXX. For example, if you don't want any user to delete files, you can do ALLOWCOMMAND_DELE="no" You can also disable it for specific users by writing the appropiate lines into the user structures at the bottom of the config file. Please see the Values section for some examples.

Values:
ALLOWCOMMAND_DELE="no" - prevent users from deleting or over-writing files
ALLOWCOMMAND_STOR="yes" - allow users to store files on the server
ALLOWCOMMAND_SITE="yes" - allow use of the site command
ALLOWCOMMAND_RETR="no" - prevent user from downloading files


Name: HIDE_GROUP

Description: Files that belong to these groups (comma-separated) are hidden in LIST/NLST. This can help with security on systems where bftpd may have access to system files.

Values:
"" - (empty string) default. This does not hide any files.
"root" - hides any files belonging to the group root.


Name: QUIT_MSG

Description: When the client sends the "quit" command, this message is sent back.

Values:
"See you later..." - default.
Any message can be placed here in quotes as long as it fits on one line in the config file.


Name: USERLIMIT_GLOBAL
Description: The number of users that can be logged in at the same time. If set to "0", an unlimited users will be able to connect. This is not recommended, as it makes DoS attacks possible, even if the clients are kicked after a short time.

Values:
"0" - (zero) default. This is not recommended.
On most small servers, the connection limit should probably be below twenty ("20") but above five ("5").


Name: USERLIMIT_SINGLEUSER

Description:
This variable controls how often one user can be logged in at one time. This allows you to have a big connection limit (see above) and nevertheless prevent single users from having a lot of connections.

Values:
"0" - (zero) default. Allow an unlimited number of connections from a user.


Name: USERLIMIT_HOST

Description: This variable controls how many users are allowed to connect from the same IP address. This prvents one user (or machine) from taking all of the avail connections. If you want to allow unlimited connections, leave this option as "0".

Values:
"0" - (zero) is the default, allowing unlimited connections from the same IP address.


Name: GZ_UPLOAD

Description: This option allows you to force files to be compressed on the fly during upload. A ".gz" extension will be given to the file. This should usually be turned off ("no"), but may be useful to servers with smaller storage space. To enable this option set the value to "yes".

To use this option, bftpd must be configured using
"./configure --enable-libz" before running "make".

Values:
"no" - default (recommended for most setups)
"yes" - Force files to be zipped during uploads to the server.


Name: GZ_DOWNLOAD

Description: This options allows you to force gzipped files to be decompressed on the fly during download. A file with the extension ".gz" will be decompressed as it is sent to the client. This option should usually be turned off ("no"), but may be usefull on servers with many compressed files. To enable this option, set the value to "yes".

To use this option, bftpd must be configured using
"./configure --enable-libz" before running "make".

Values:
"no" - default (recommended for most setups)
"yes" - Force files to be unzipped during downloads from the server.





Next Previous Contents