How to Set Up Anonymous FTP with ProFTP

ūüďÖ June 10, 2017
Anonymous FTP is a handy way to provide public files to users over a LAN. Any user may log in to the FTP server without requiring an account on the FTP server itself. Just log in as anonymous and download.

But how can we set this up?

In this quick tutorial, we will see how the process works and what configuration settings must be made for a read-only anonymous FTP login.

ProFTP

ProFTP (Professional File Transfer Protocol) is a free FTP server available in the Ubuntu repositories. Install it from Synaptic or the command line. Look for proftpd-basic in Synaptic.

sudo apt-get install proftpd-basic

This tutorial assumes that ProFTP is already installed and running.

 

“Which Version Am I Running?”

It should not matter, but to find out, enter

proftpd -v

ProFTP version 1.3.5a installed from the Ubuntu repository.

 

“How can I check if ProFTP is running?”

systemctl status proftpd

You should see output similar to this:

ProFTP up and running.

How It Works

While the introduction mentioned that no preexisting account is required, this is partly true. Normally, FTP requires that each use have his own account on the FTP server and that he logs in with that account username and password.

This can add up to additional user management if you have, say, a few hundred users. If file privacy is not a concern, anonymous FTP will allow all users to access the file simply by logging in with the username anonymous and a blank password.

The idea behind anonymous FTP is that the Linux system hosting the FTP server already has a limited, standard user account that is used for FTP access. Any user who logs in as an anonymous user is aliased to this account and restricted to whatever access it has.

Overview of anonymous FTP access. Anonymous FTP users access files through the dedicated anonftp user account.

Set Up

1. Create an Standard User Account for FTP Login

By default, ProFTP should create an ftp user, but we will not use this one even though we can. Instead, will create a new standard account. This is so we can name the account based upon a specific purpose instead of relying upon a generic “ftp” account. For the purpose of this example, we are going to provide a local Ubuntu repository that any user may access via anonymous FTP.

Linux Mint’s Users and Groups dialog easily lets us create this user.

Linux Mint 18.1 Users and Groups dialog. anonftp is a standard user account created specifically for anonymous FTP logins. You may name the user account as anything you like. anonftp is an example.

A password is not required for the anonftp account, but set a password anyway to restrict local access. We do not want users to be allowed to log into the Linux system without a password. The password set on the account is NOT used for anonymous FTP logins. Users can still log in without a password via anonymous FTP because the ProFTP server handles FTP logins according to its configuration.

2. Edit ProFTP Configuration

Open proftpd.conf in a text editor for editing.

sudo gedit /etc/proftpd/proftpd.conf

The location of proftpd.conf might vary, but it should be located in the /etc/proftpd directory. The edits here will determine how anonymous FTP behaves since can it sets restrictions, directory locations, and user aliases. See the full documentation for details that cater to your needs.

For now, we are going to allow anonymous read-only access to a specific directory located at /media/ftpstuff, which is a spare hard drive hosting public files that we want to share via anonymous FTP. Whenever a user logs in with anonymous FTP, he will be restricted to this directory and its subdirectories.

proftpd.conf contains many settings. Shown below are the relevant parts for anonymous FTP.

 

DefaultRoot    ~

<Anonymous /media/ftpstuff>
<Limit LOGIN>
    AllowAll
</Limit>
    User  anonftp
    Group  anonftp

    UserAlias  anonymous anonftp
<Directory *>
    <Limit WRITE>
       DenyAll
    </Limit>
</Directory>
</Anonymous>

By default, anonymous FTP is disabled. Uncommenting or adding custom anonymous lines will enable it.

DefaultRoot    ~

This restricts an FTP user to his home and prevents him from exploring the rest of the filesystem. A security precaution.

<Anonymous /media/ftpstuff>
...
</Anonymous>

Everything between the opening and closing <Anonymous> pertains to the anonymous FTP login. <Anonymous /media/ftpstuff> specifies the home directory for an anonymous FTP login. With DefaultRoot also set to ~, each user who logs in via anonymous FTP will see /media/ftpstuff as his home. He will not be able to explore parent directories or other parts of the filesystem on the FTP server.

<Limit LOGIN>
    AllowAll
</Limit>

Everyone is allowed to login via anonymous FTP.

User   anonftp
Group  anonftp

Here is why we needed to set up the anonftp user account earlier. When a user logs in via anonymous FTP, he will be “seen” as this user and group by the system. If necessary, we can further restrict what anonftp can do through groups and Linux permissions.¬†For example, we could make anonftp a member of other groups with varying access permissions. The anonymous FTP user would then be allowed to access whatever the groups allow.

UserAlias anonymous anonftp

Tells ProFTP to identify anonymous FTP logins by the username anonymous and then alias that username as anonftp — the name of the system’s user account.

 <Directory *>
   <Limit WRITE>
     DenyAll
   </Limit>
 </Directory>

How should directories be handled for anonymous FTP? <Directory *> applies to all directories visible to the anonymous login, and <Limit WRITE> with DenyAll instructs ProFTP to prohibit all writing to those directories. In other words: no uploads. The phrasing might be confusing, so try to think in reverse. By denying all writes, we are making something read-only, which is what we want for this example.

3. Restart proftpd

You must restart the FTP server after any modification is made and saved in proftpd.conf so the proftpd server will reflect the new changes.

sudo service proftpd restart

Now, try to log in using Filezilla or any other FTP client. You should see the contents of your chosen anonymous FTP directory.

Think

Anonymous FTP is a great way to make a local repository available to all users on a LAN, but always use caution. It might be convenient to log in as anonymous, but avoid posting private files since anyone who logs in as anonymous can view them.

If you allow anonymous uploading (yes, proftpd allows this too), you might want to restrict uploads to a dedicated “uploads” directory.

Conclusion

There are several ways to configure anonymous FTP, so think about what you are trying to achieve and then think about the best way to configure FTP to make your goal happen. Avoid a one-size-fits-all approach because FTP is insecure by default and easy to configure improperly.

FTP is fun to play with and fast for practical usage on a trusted, private LAN, so experiment and enjoy!

Advertisements

, ,

  1. Leave a comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: