The wu-ftpd patch offers TCP wrappers for the well-known FTP server.
With this patch, you are enabled to deny access to certain hosts, and the connection is dropped immediately after the connection is established (with the accept() call). As a result, the check is conducted in the child process, so the main server process is not slowed down. Yet, there is also an initscript provided for starting and stopping the ftp server in standalone mode.
TCP Wrappers (or libwrap) provide an effective means to control access to services on a host. Typically, traditional TCP Wrappers are utilized from inetd and used to protect services launched from inetd. However, when you decide to run the wu-ftpd in standalone daemon mode, this patch comes in handy. You use this mode primarily for speed as all that is required is a fork instead of an exec, although some individuals might choose not to run inetd at all, in which case running the server standalone is the only way to go.
Requirements for the patch to function include wu-ftpd version 2.6.1 (older versions have serious security holes), a suitable TCP Wrapper library (libwrap) installed where your compiler can find it (like in /usr/lib), the patch (below), and correctly configured /etc/hosts.allow and /etc/hosts.deny files (see the man pages). Note that the service named for the wrapped wu-ftpd server is "ftpd" (NOT "in.ftpd").
It’s also nice to have the ftpd standalone initscript if you use iniscripts (like RedHat in /etc/rc.d/init.d) (Get this below.)
Instructions on how to use the patch:
- Expand a clean copy of wu-ftpd 2.6.1
- cd to the directory that contains the recently expanded wu-ftpd-2.6.1 directory
- Copy the patch file into the current directory
- Apply the patch with "patch -p0 < wrapped_ftp_patch"
- Then cd into the wu-ftpd-2.6.1 directory and proceed as usual (./configure; make; etc...) Note: You must use ./configure (autoconf) and not the old ./build method
- You may want to run make install to put things in place, but remember that this setup is for running the server in standalone daemon mode, not from inetd.
- Make sure you do NOT have a line in /etc/inetd.conf for ftp (and kill -HUP inetd if required)
- If you use iniscripts (like RedHat), install the initscript in /etc/rc.d/init.d (or equivalent). Then make synlinks into rc3.d or rc5.d as usual (see your docs).
- If you do not use initscripts, you might want to configure /etc/rc.local to start the daemon at boot as it will have to be started manually on reboot
Version 1.0: N/A