Next
Previous
Contents
Config options for the bftpd configuration file
Below are a list of options reconized by the bftpd server. These options
and their values may be stored in the bftpd configureation file. This
file is named /etc/bftpd.conf by default. Please note that all values
must be given between quotation marks. For example, the following is
correct:
PORT="21"
However, this is not correct:
PORT=21
Please also note that options should always be in UPPER CASE.
There are two main parts to the bftpd.conf file. The first is the
global section. This lays out the default values which are
used by the server. The second section is the users section. This
should always be appended at the bottom of the bftpd.conf file. The users
section provides over-ride values for specific users. For example, by default
the bftpd.conf file sets DENY_LOGIN to "no", which allows all users to login.
This value is set in the global section. However, also by default, DENY_LOGIN
is turned on in the users section for the user root. This prevents
someone from logging in to your bftpd server using the root account.
Now, without further delay, let's take a look at the options
the bftpd server supports. These will be broken down by the
name of the variable, a brief description and possible values.
Name: DENY_LOGIN
Description: This option instructs bftpd to either deny login
attemps or to allow logins. It is recommended root
access be restricted using this option.
Values:
"no" - allow login attempts
"yes" - prevent a user from logging in
"Reason for denying access." -
Deny access to the server and tell the client why.
Name: PORT
Description: This is the port number where the server should listen
for incoming connections. This is for daemon mode only.
Values:
"21" - default
Name: PASSIVE_PORTS
Description:
You can force bftpd to use a specific port range in passive mode.
Passive mode means that the client will open data connections
and the server stays 'passive'.
This option can be very useful with some firewall configurations.
Seperate values with "," and define ranges with "-".
bftpd will try to bind one of these ports in ascending order as
you specify them here.
If none of the given ports could be bound, the connection is
is refused. If you want to bind any free port in that case, add
"0" to the list.
Values:
"0" - (zero) default
"10000-20000" - use ports 10,000 to 20,000
"15000-20000, 25000-30000" - use ports 15,000 to 20,000 and 25,000 to 30,000.
Name: DATAPORT20
Description:
If PORT data connections should be opened from port 20, say yes here. You
will probably need this if your server is behind a firewall that restricts
outgoing packets from ports higher than 1024. Note that this may be a
security hole, as the server can not drop its root privileges completely
if you say yes here.
Values:
"no" - default. This is recommended for security reasons.
"yes" - enable data port 20. Recommended for dealing with firewalls which restrict
out-going connections above port 1024.
Name: ADMIN_PASS
Description: The password which will be used by the system administrator
to monitor and manage the bftpd server. The admin interface is not finished and,
at this time, the password should remain as "x".
Values:
"x" - default and recommended.
Name: INITIAL_CHROOT
Description:
With this option, you can put your entire FTP environment into a chroot
jail. Apart from security, this offers you the possibility of having
virtual users that don't exist in the system.
Additionally, you can make some kind of 'file pool' by creating a directory
with files which you can symlink from the users' homes (this means setting
DO_CHROOT=no in order for the users to be able to access that dir.
Note that you need the following files in your initial chroot directory:
/etc/passwd, /etc/shadow, /etc/group
On GNU systems, you will also need the NSS libraries in /lib.
Values:
This option is disabled by default. You should give an existing directory
path if you wish to setup a traditional, secure ftp environment.
Name: PATH_BFTPDUTMP
Description: The bftpdutmp file allows you to record user logins and
logouts. This is useful should you wish to restrict the number of users/computers
logged in at the same time. Should you wish to run bftpd without these security
features, you can set the path to an empty string.
Values:
"/var/run/bftpd/bftpdutmp" - default
"" - disable the log file.
Name: XFER_BUFSIZE
Description: This option controls the buffer size while transferring files.
If you are on a very fast network (fast meaning 100 Mbit/s or more),
you should set this to 64000 or something like that.
Transferring from localhost to localhost, I had a transfer speed of
approx. 15 MB/s with XFER_BUFSIZE=2048 and a speed of approx. 20 MB/s
with XFER_BUFSIZE=64000. You should set smaller values for this if you have
slow (dialup) clients.
This option can also be used to (crudely) throttle back
transfer speeds. Setting this to a very low value
can slow transfer speeds.
Values:
"2048" - default
Name: XFER_DELAY
Description:
This option allows you to add a delay (in microseconds) to
the time between when one piece of data was sent
and when the next will be sent. This is to aid in
throttling bandwidth and applies to each client. The
throttling effects the DATA transfers only (not control
connections).
A value of zero (0) means there is no added delay.
A value of about 500000 (five hundred thousand) should
delay for about half a second.
These delays should be kept low to avoid triggering
data transfer timeouts.
Values:
"0" - default (no delay)
Name: ALLOW_FXP
Description:
When set to yes, this option makes the server allow data connections which
don't go to the client who initiated them.
This is needed for FXP. It is recommended this option be left
disabled.
Values:
"no" - default (recommended)
"yes" - allow data connections which go to third party clients.
Name: CONTROL_TIMEOUT
Description: This option sets the amount of time a client may
be connected without sending any control commands. The value is
the number of seconds bftpd will wait for a command before dropping
the connection.
Values:
"300" - default (wait five minutes)
Name: DATA_TIMEOUT
Description: This option sets the amount of time a client
can be idle during a file transfer. The value is given in seconds.
This option should usually be over ten,
but below sixty. This allows for slow dial-up connections, without leaving
stale connections too long.
Values:
"30" - default (wait thirty seconds)
Name: RATIO
Description:
Use Ratio if you want the client to send a file before he can get a file.
The format for this option is "upload/download". For
example, "2/1" will allow the client to download 1MB of data if they
first upload 2MB of data.
Values:
"none" - default. Do not restrict downloading.
"2/1" - allow 1MB download for every 2MB uploaded to the server.
Name: ROOTDIR
Description:
ROOTDIR specifies the root directory of the client. It defaults to %h
(the user's home directory). "%u" is replaced by the user name. This
is handy if you have a set of sub-folders for bftpd to use. For example,
/var/ftp/username/
This value should probably be set to some special value in the
anonymous user's specific settings at the bottom of the config
file.
Values:
"%h" - (default) login to the user's home directory.
"%u" - this symbol will be replaced by the client's username.
Name: UMASK
Description:
Umask for the files or directories users create.
Values:
"022" - (default) New files are created with the permissions 755.
Name: LOGFILE
Description: This option gives the path of the file where
bftpd will log general information. This includes files sent or received,
login attempts and logouts. It is possible to use the system log by
using the keyword "syslog" here.
Values:
"/var/log/bftpd.log" - default
"syslog" - send log data into system log.
"" - do not save log information to a file.
Name: HELLO_STRING
Description:
This option tells bftpd what greeting to send clients when they
first login to the server. You can use any string which fits on one
line. Also, you can use three embedded symbols (%h, %i, %v) to
provide extra information. The %h symbol will be replaced by the
server's host name, %i is replaced by your IP address and %v
will display bftpd's version number.
Note: If you use the "%h" option and you do an inital CHROOT, then
you'll need to copy your /etc/hosts and /etc/host.conf files into
the chroot jail.
Values:
"bftpd %v at %i ready." - default (Show version and server's IP address)
"Welcome to bftpd at %h" - display welcome message with server's name.
Name: AUTO_CHDIR
Description: This option tells the bftpd server in which directory
it should start. The directory path is relative to any chroot jail.
Values:
"/" - (default) go to the root directory of the current environment.
"/ftp" - start in the ftp directory
Name: AUTH
Description: This option tells bftpd which type of password
authentication to use. Currently PAM and standard passwords are availible.
Values:
"PASSWD" - (default) use basic password checking.
"PAM" - use PAM verification.
Name: FILE_AUTH
Description: This option, when set, tells bftpd to ignore the AUTH
variable and use a plain text file to authenticate users. The value
should point to a text file, readable to the bftpd server. See the
values section for the file format. The bftpd server will search
through the text file for names matching the client's username. If
a match is found, the client's password is checked against the one in
the local text file.
WARNING: This option should be used very carefully and only in
situations where you wish to over-ride your regular system security!
Values:
The text file should contain the format shown here:
username password group home_directory
Where username and password must match those sent by the client. Otherwise
login is refused. The group should be the user's regular group and
home_directory is where the client will be chrooted. For example:
john secret users /home/john
jane mypassword users /home/jane/ftp
Name: RESOLVE_CLIENT_IP
Description:
Enable this if you want the client's IP address to be resolved to a host
name. Note that it increases the overhead and it may not work if your DNS
is not configured correctly. Clients without a valid DNS name will take very
long to connect.
Values:
"no" - default and recommended setting
"yes" - resolve client host names, when possible
Name: MOTD_GLOBAL
Description:
This option tells bftpd where the "message of the day" file
is stored. The content of this file (if it exists) is sent to the client
before they login.
Values:
"/etc/ftpmotd" - default
Name: MOTD_USER
Description: The path to a "message of the day" file. The content
of this file (if it exists) is sent to the client after a valid login. This
path is relative to the user's root directory.
Values:
"/.ftpmotd" - default
Name: RESOLVE_UIDS
Description: If this option is enabled, user and group names
are shown in directory listings instead of plain user/group ID numbers.
This may slow down large directory listings.
Values:
"yes" - (default) show user and group names.
"no" - show user and group numbers.
Name: DO_CHROOT
Description: When this option is enabled ("yes") the client can
not access any directories outside of the chroot jail. Disabling this
feature ("no") is considered a serious security hole.
Values:
"yes" - (default) recommended to contain the user to their home directory.
"no" - (not recommended) this will allow the client to access any directory on the server.
Name: LOG_WTMP
Description:
Enable this to log each login to wtmp. This
can be useful for checking security issues.
Values:
"yes" - (default) Send login information to wtmp.
"no" - Do not log to wtmp.
Name: BIND_TO_ADDR
Description:
If you would like bftpd to bind itself to one specific network interface,
enter its IP address here. You can use the value "any" to take the
first availible network interface. This option works in daemon mode
only.
Values:
"any" - (default) Take the first availible network device.
"your IP address here" - try to bind to a specific address.
Name: PATH_FTPUSERS
Description:
This option gives bftpd the path to a file (ftpusers) which
contains a list of users which may not login to the server.
If you want anyone to be able to login, you can put a non-existant
filename here.
Values:
"/etc/ftpusers" - default
Name: AUTH_ETCSHELLS
Description:
Enable this if you want to deny any user who has a shell which is not in
/etc/shells.
Values:
"no" - (default) allow any user to login
"yes" - Deny login attemps to users with a shell not found in /etc/shells
Name: ALLOWCOMMAND_
Description:
With the option ALLOWCOMMAND_XXXX, you can disable the command XXXX.
For example, if you don't want any user to delete files, you can do
ALLOWCOMMAND_DELE="no"
You can also disable it for specific users by writing the appropiate
lines into the user structures at the bottom of the config file.
Please see the Values section for some examples.
Values:
ALLOWCOMMAND_DELE="no" - prevent users from deleting or over-writing files
ALLOWCOMMAND_STOR="yes" - allow users to store files on the server
ALLOWCOMMAND_SITE="yes" - allow use of the site command
ALLOWCOMMAND_RETR="no" - prevent user from downloading files
Name: HIDE_GROUP
Description:
Files that belong to these groups (comma-separated) are hidden in LIST/NLST.
This can help with security on systems where bftpd may have access to system
files.
Values:
"" - (empty string) default. This does not hide any files.
"root" - hides any files belonging to the group root.
Name: QUIT_MSG
Description:
When the client sends the "quit" command, this message is sent back.
Values:
"See you later..." - default.
Any message can be placed here in quotes as long as it fits on one line in
the config file.
Name: USERLIMIT_GLOBAL
Description:
The number of users that can be logged in at the same time.
If set to "0", an unlimited users will be able to connect. This is not
recommended, as it makes DoS attacks possible, even if the clients are
kicked after a short time.
Values:
"0" - (zero) default. This is not recommended.
On most small servers, the connection limit should probably be below twenty ("20")
but above five ("5").
Name: USERLIMIT_SINGLEUSER
Description:
This variable controls how often one user can be logged in at one time.
This allows you to have a big connection limit (see above) and nevertheless
prevent single users from having a lot of connections.
Values:
"0" - (zero) default. Allow an unlimited number of connections from a user.
Name: USERLIMIT_HOST
Description:
This variable controls how many users are allowed to connect from the same IP
address. This prvents one user (or machine) from taking all of the avail
connections. If you want to allow unlimited connections, leave this option as "0".
Values:
"0" - (zero) is the default, allowing unlimited connections from the same IP address.
Name: GZ_UPLOAD
Description:
This option allows you to force files to be compressed
on the fly during upload. A ".gz" extension will be given
to the file. This should usually be turned off ("no"), but
may be useful to servers with smaller storage space.
To enable this option set the value to "yes".
To use this option, bftpd must be configured using
"./configure --enable-libz" before running "make".
Values:
"no" - default (recommended for most setups)
"yes" - Force files to be zipped during uploads to the server.
Name: GZ_DOWNLOAD
Description:
This options allows you to force gzipped files to
be decompressed on the fly during download. A file
with the extension ".gz" will be decompressed as it
is sent to the client. This option should usually be
turned off ("no"), but may be usefull on servers with
many compressed files. To enable this option, set the
value to "yes".
To use this option, bftpd must be configured using
"./configure --enable-libz" before running "make".
Values:
"no" - default (recommended for most setups)
"yes" - Force files to be unzipped during downloads from the server.
Next
Previous
Contents