[NCLUG] Another simple FTP question

[dobbster]

Quent wrote:
> 
> Hi,
> 
>  Maybe there's still an entry in /etc/inetd.conf and removal
> of the RPM maybe didn't get everything. Another possibility is that
> it's running as a standalone daemon, in which case "chkconfig --list |
> grep ftp" might turn up a clue, assuming all your daemons are started
> by scripts in init.d. Hope this helps.

It's definitely only started by inetd, and with the tcpd wrapper.

Further info...  (Boy, I'd be grateful if you could help me.  I've
already decided I'll buy a couple of pitchers of beer/soda for everyone
at the next NCLUG, which I promise to attend if it's at PanHandlers.
*fingers crossed, just in case*)

I don't have the anon-ftp package installed:

[/home/dobbster]rpm -qa | grep ftp
ftp-0.10-22
gftp-2.0.3-1mdk
ncftp-3.0beta18-4mdk
tftp-0.10-23
wu-ftpd-2.5.0-1mdk # I realize this is old, but I can't get the newer
ones to compile on my Mandrake 6.x box...

My /etc/inetd.conf reads:

ftp     stream  tcp     nowait  root    /usr/sbin/tcpd  in.ftpd -l -a 

I assume this is okay.  I guess I should set up my
/etc/hosts.allow(deny) to permit only the hosts that -need- to FTP to
get in.  Unfortunately, some of them are assigned IPs dynamically, so
I'd be opening the doors to entire networks (still better than allowing
access to all.)

My latest attempt at an /etc/ftpaccess reads (comments added along the
way):

class   all   real *

limit   all   10   Any              /etc/msgs/msg.dead

message /welcome.msg            login
message .message                cwd=*

compress        yes             all
tar             yes             all

log commands real
log transfers anonymous,real inbound,outbound

shutdown /etc/shutmsg

email user at hostname  # Not sure I understand this...

greeting terse

hostname the.server # bogus, of course

defaultserver private  # Shouldn't this turn off anon ftp altogether,
according to man 5 ftpaccess?

---

Now, people attempting anonymous FTP are NOT able to get in.  An attempt
yields something like:

[/home/dobbster]ftp ftpserver.com # not the real server's name, duh.
Connected to ftpserver.com.
220 FTP server ready.
Name (ftpserver.com:dobbster): anonymous
331 Guest login ok, send your complete e-mail address as password.
Password:           # I enter dobbster at dobbster.com
530 Login incorrect.
Login failed.
ftp> quit
221 Goodbye. 

Again, crackers are attempting to do this every day with some automated
tools.  It's annoying because it fills my logs with failed login
attempts, and it also makes me a little paranoid.

Should my /etc/ftpaccess file have the "virtual" option turned on?  The
ftpaccess man page seems to indicate something about this.  What would I
say there?

Thanks; maybe it's not as simple as I thought.

Mark (dobbster at dobbster.com)