libwrap (TCP Wrappers) wu-ftpd patch
Price: $0 (GPL License) THIS SOFTWARE HAS NO WARRANTY.
USE AT YOUR OWN RISK.
Current Version: 0.9
Date Modified: July 5, 2000
Overview
This is a patch to the Un*x wu-ftpd FTP server (available here)
to support the use of libwrap (TCP Wrappers) when the server is run in standalone daemon
mode via the -S switch.
This gives you the ability to control access in the same /etc/hosts.deny
or /etc/hosts.allow files you use when running wu-ftpd (or any other service)
from inetd With this patch you may deny access to hosts and the connection
is dropped right after the connection is made (with the accept() call). The
check is performed in the child process so the main server process is not
slowed down.
There is also an initscript provided for starting and stopping the ftp server
in standalone mode.
Details
TCP Wrappers (or libwrap) provide a way to control access to services on
a host. Traditional TCP Wrappers are called from inetd and used to protect
services started from inetd. When the wu-ftpd is run from inetd you do not
need this patch. This patch is for use when you run the wu-ftpd in standalone
daemon mode. You use this mode primarily for speed (as all that is required
is a fork instead of an exec), though some people choose not to run inetd
at all, in which case running the server standalone is the only way to go.
What you need:
- The wu-ftpd version 2.6.1 (older versions have serious security holes) server
avaliable here: http://www.wuftpd.org/
- A suitable TCP Wrapper library (libwrap) installed where your compiler can
find it (like in /usr/lib)
- The patch (below)
- Correctly configured /etc/hosts.allow and /etc/hosts.deny files (see the
man pages) Note that the service named for the wrapped wu-ftpd server is "ftpd"
(NOT "in.ftpd").
- Nice to have the ftpd standalone initscript if you use iniscripts (like
RedHat in /etc/rc.d/init.d) (Get this below.)
How to use the patch:
- Expand a clean copy of wu-ftpd 2.6.1
- cd to the directory that contains the newly expanded wu-ftpd-2.6.1
directory
- Copy the patch file into the current directory
- Apply the patch with "patch -p0 < wrapped_ftp_patch"
- Then cd into the wu-ftpd-2.6.1 dir and proceed as usual (./configure; make;
etc...) Note: You must use ./configure (autoconf) and not the old ./build
method
- You may want to run make install to put things in place, but remember that
this setup is for running the server in standalone daemon mode, not from inetd.
- Make sure you do NOT have a line in /etc/inetd.conf for ftp (and kill -HUP
inetd if required)
- If you use iniscripts (like RedHat) install the initscript in /etc/rc.d/init.d
(or equivalent) Then make synlinks into rc3.d or rc5.d as usual (see your
docs).
- If you do not use initscripts you might want to configure /etc/rc.local
to start the daemon at boot as it will have to be started manually on reboot
otherwise.
- Start the server with the -S option (I like to use "/path/to/ftpd -ll
-a -S" personally) or use the provided initscript which assumes the daemon
is in /usr/sbin/ftpd (note there is not an "in." in front of ftpd.
You may need to configure the initscript to match your daemon location
/ options preferences.
- Test out your new setup. Try it from a host that is allowed and from a host
that is denied.
Important Notes:
- USE AT YOUR OWN RISK. THERE IS NO WARRANTY OF ANY KIND.
- You most likely need version 2.6.1 of the wu-ftpd. Anything older offers
remote root so it would be a good idea to upgrade anyway!
- The service name for use in /etc/hosts.deny/allow is "ftpd". Thus,
for example, to deny everyone you would put "ftpd:ALL" in /etc/hosts.deny
- You probably need use ./configure when building (instead of the old style
./build XXX). Or you will have to edit the Makefile yourself to include libwrap
for ftpd.
- This was tested under linux intel RH6, linux ppc Q3, and NetBSD 1.3/1.4
- Problems? Suggestions? E-mail me here
Complaints? mail to /dev/null ;-) (Or send them to that address...)
Download
-
wrapped_ftpd_patch
(USA-Local Server) (1K) - GZIPed patch file
-
ftpd_initscript
(USA-Local Server) (1K) - GZIPed initscript file (Goes in /etc/rc.d/init.d
or equivalent. May need tweaking.)
Revision History
v0.9
Return to LAFFEY Computer Imaging home
page.
Webmaster (webmaster@laffeycomputer.com)