We'll respond shortly.
Hey, we need an FTP server. Yes, it has to be an FTP server. We’re going to tell our clients to upload files there. Oh, and we don’t want to bother creating userids for each individual clients—too much work, so it’s important that they can upload files but can’t see anybody else’s files. Except for us: we need to be able to see all the uploaded files.
FTP, although long since superseded by better & more efficient file transfer protocols (e.g. scp, HTTP, bittorrent), has managed to survive to this day, occasionally rearing its ugly head, reminding us that dinosaurs still walk the earth.
Here are the steps to go through to create a secure anonymous FTP server, one where the anonymous clients can upload files but cannot read them.
Amazon AWS is an excellent service for hosting virtual machines on the Internet. Create an account and perform the following steps (caveat lector: Amazon may change the menus/procedures at its discretion):
Click on Elastic IPs
chmod 600 ~/.ssh/anonftp.pem ssh -i ~/.ssh/anonftp.pem firstname.lastname@example.org sudo apt-get install vsftpd sudo vim /etc/vsftpd.conf
We made the following changes to our
local_enable=YES write_enable=YES anon_upload_enable=YES chown_uploads=YES chown_username=ftpmaster chroot_local_user=YES
Now we need to create our
ftpmaster user, who will be able to log in & see all files. We are going to assign him the password
sudo restart vsftpd sudo useradd -G ftp -d /srv/ftp ftpmaster sudo passwd ftpmaster sudo mkdir /srv/ftp/pub sudo chown ftpmaster:ftp /srv/ftp/pub sudo chmod 733 /srv/ftp/pub sudo tee /srv/ftp/readme.txt <<-EOF Please upload all movies into the /pub directory. You may upload files into the pub directory, but you will not be able to read files in the pub directory, not even the ones you've uploaded. If you can't upload files into the /pub directory, it is possible that there is already a file of the same name already there; try uploading your file using a different name. EOF
From your workstation (not the Amazon EC2 instance), connect via anonymous FTP & upload a file. Also, try to get a directory listing:
ftp email@example.com Connected to 220.127.116.11. 220 (vsFTPd 2.3.5) 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> put /etc/hosts /pub/hosts.txt local: /etc/hosts remote: /pub/hosts.txt 229 Entering Extended Passive Mode (|||64563|). 150 Ok to send data. 100% |*********************************************************************************************| 236 4.50 MiB/s 00:00 ETA 226 Transfer complete. 236 bytes sent in 00:00 (1.44 KiB/s) ftp> ls /pub/ 229 Entering Extended Passive Mode (|||29280|). 150 Here comes the directory listing. 226 Transfer done (but failed to open directory). ftp> quit 221 Goodbye.
That was a successful FTP session:
Now let’s make sure that the
ftpmaster can log in & retrieve the uploaded files:
hosts.txtfile to download
Anonymous FTP can be a security concern (this author ran an anonymous FTP server in 2001 only to discover that a gentleman from Germany was using its diskspace & bandwidth to illegally distribute movies. Even worse, his taste in movies was universally mediocre). But this should not be a concern: given that anonymous FTP users cannot see or download the material they have uploaded, our German hacker would be thwarted in his attempt to use this FTP server as a distribution mechanism. Also, bittorrent has supplanted using pilfered anonymous FTP servers in the modern day.
There are also [somewhat lame] denial-of-service attacks: someone could, for example, fill the up the disk space, preventing others from uploading.
There is no encryption on the FTP uploads. If the content is sensitive, this may not be the appropriate solution.
Can the server be hacked? Can someone break in through one of the services and own the machine? I suspect the likelihood is low: there are only 2 services running: FTP & ssh.
ubuntuuser (for the sshd configuration requires ssh keys to log in, and
ubuntuis the only user that has keys).