IT training linux web server and domain configuration

The default directory location is: Red Hat 7.x-9, Fedora Core, Red Hat Enterprise 4, CentOS 4: /var/www/html/ Red Hat 6.x and older: /home/httpd/html/ Suse 9.x: /srv/www/htdocs/ Ubun

This tutorial assumes that a computer has Linux installed and running See RedHat Installation for the basics A connection to the internet is also assumed A connection of 128 Mbits/sec or greater will yield the best results ISDN, DSL, cable modem or better are all suitable A 56k modem will work but the results will be mediocre at best The tasks must also be performed with the root user login and password

Software Prerequisites: The Apache web server (httpd), FTP (requires xinetd or inetd) and Bind (named) software packages with their dependencies are all

required One can use the rpm command to verify installation:

Fedora Core 1+, Red Hat Enterprise 4, CentOS 4:

rpm -q httpd bind bind-chroot bind-utils system-config-bind xinetd vsftpd

rpm -q apache bind inetd wu-ftpd

Use wu-ftpd version 2.6.2 or later to avoid security problems

SuSE 9.3:

rpm -ivh apache2 apache2-prefork bind bind-chrootenv bind-utils vsftpd

Note: The apache2-MPM is a generic term for Apache installation options for "Multi-Processing Modules (MPM)s "prefork" or "worker" If you try and onlyapache2 you will get the following error:

apache2-MPM is needed by apache2-2.0.53-9

Also see Apache.org: MPMs

Ubuntu (dapper 6.06) / Debian:

apt-get install apache2

apt-get install apache2-common

apt-get install apache2-mpm-prefork

apt-get install apache2-utils

apt-get install bind9

The Apache configuration file is: /etc/httpd/conf/httpd.conf

Web pages are served from the directory as configured by the DocumentRoot directive The default directory location is:

Red Hat 7.x-9, Fedora Core, Red Hat Enterprise 4, CentOS 4: /var/www/html/

Red Hat 6.x and older: /home/httpd/html/

Suse 9.x: /srv/www/htdocs/

Ubuntu (dapper 6.06) / Debian: /var/www/html

The default home page for the default configuration is index.html Note the pages should not be owned by user apache as this is the process owner of the httpd webserver daemon If the web server process is comprimised, it should not be allowed to alter the files The files should of course be readable by user apache Apache may be configured to run as a host for one web site in this fashion or it may be configured to serve for multiple domains Serving for multiple domains may

be achieved in two ways:

Virtual hosts: One IP address but multiple domains - "Name based" virtual hosting

Multiple IP based virtual hosts: One IP address for each domain - "IP based" virtual hosting

The default configuration will allow one to have multiple user accounts under one domain by using a reference to the user account: http://www.domain.com/~user1/

If no domain is registered or configured, the IP address may also be used: http://XXX.XXX.XXX.XXX/~user1/

Prerequisites:

Apache HTTP Web server configuration:

[Potential Pitfall] The default umask for directory creation is correct by default but if not use: chmod 755 /home/user1/public_html

[Potential Pitfall] When creating new "Directory" configuration directives, I found that placing them by the existing "Directory" directives to be a bad idea It would not use the .htaccess file This was because the statement defining the use of the .htaccess file was after the "Directory" statement Previously in RH 6.x the files were separated and the order was defined a little different I now place new "Directory" statements near the end of the file just before the "VirtualHost" statements For users of Red Hat 7.1, the GUI configuration tool apacheconf was introduced for the crowd who like to use pretty point and click tools

Files used by Apache:

Start/stop/restart script:

Red Hat/Fedora/CentOS: /etc/rc.d/init.d/httpd

SuSE 9.3: /etc/init.d/apache2

Ubuntu (dapper 6.06) / Debian: /etc/init.d/apache2

Apache main configuration file:

Red Hat/Fedora/CentOS: /etc/httpd/conf/httpd.conf

SuSE: /etc/apache2/httpd.conf

(Need to add directive: ServerName host-name)

Ubuntu (dapper 6.06) / Debian: /etc/apache2/apache2.conf

Apache suplementary configuration files:

Red Hat/Fedora/CentOS: /etc/httpd/conf.d/component.conf

SuSE: /etc/apache2/conf.d/component.conf

Ubuntu (dapper 6.06) / Debian:

 Virtual domains: /etc/apache2/sites-enabled/domain

(Create soft link from /etc/apache2/sites-enabled/domain to /etc/apache2/sites-available/domain to turn on)

 Additional configuration directives: /etc/apache2/conf.d/

 Modules to load: /etc/apache2/mods-available/

(Soft link to /etc/apache2/mods-enabled/ to turn on)

 Ports to listen to: /etc/apache2/ports.conf

/var/log/httpd/access_log and error_log - Red Hat/Fedora Core Apache log files

(Suse: /var/log/apache2/)

Start/Stop/Restart scripts: The script is to be run with the qualifiers start, stop, restart or status

i.e /etc/rc.d/init.d/httpd restart A restart allows the web server to start again and read the configuration files to pick up any changes To have this script invoked upon system boot issue the command chkconfig add httpd See Init Process Tutorial for a more complete discussion

Also Apache control tool: /usr/sbin/ apachectl start

Apache Control Command: apachectl:

Red Hat / Fedora Core / CentOS: apachectl directive

Ubuntu dapper 6.06 / Debian: apache2ctl directive

Apache Configuration Files:

/etc/httpd/conf/httpd.conf: is used to configure Apache In the past it was broken down into three files These may now be all concatenated into one file See Apache online documentation for the full manual

/etc/httpd/conf.d/application.conf: All configuration files in this directory are included during Apache start-up Used to store application specific

configurations

/etc/sysconfig/httpd: Holds environment variables used when starting Apache

Basic settings: Change the default value for ServerName www.<your-domain.com>

Giving Apache access to the file system: It is prudent to limit Apache's view of the file system to only those directories necessary This is done with the directory

statement Start by denying access to everything, then grant access to the necessary directories

Deny access completely to file system root ("/") as the default:

Grant access to a user's directory:

start Start the Apache httpd daemon Gives an error if it is already running

stop Stops the Apache httpd daemon

graceful Gracefully restarts the Apache httpd daemon If the daemon is not running, it is started This differs from a normal restart in that currently open connections are not aborted

restart Restarts the Apache httpd daemon If the daemon is not running, it is started This command automatically checks the configuration files as in configtest before initiating the restart to make sure the daemon doesn't die

status Displays a brief status report

fullstatus Displays a full status report from mod_status Requires mod_status enabled on your server and a text-based browser such as lynx available on your system The URL used to access the status report can be set by editing the STATUSURL variable in the script

OR

use the statement UserDir public_html which does this by default for every user account at $HOME/public_html Change to a comment (add "#" at beginning of line) from Fedora Core default UserDir disable

Also use SELinux command: setsebool httpd_enable_homedirs true

File permissions: The Apache web server daemon must be able to read your web pages in order to feed thier contents to the network Use an appropriate umask and file protection This works: chmod ugo+r -R public_html

One may also use groups to control permisions See the YoLinux tutorial on managing groups

[Potential Pitfall]: If the Apache web server can not access the file you will get the error "403 Forbidden" "You don't have permission to access file-name on this

server." Note the default permissions on a user directory when first created with "useradd" are:

drwx - 3 userx userx

You must allow the web server running as user "apache" to access the directory if it is to display pages held there

Fix with command: chmod ugo+rx /home/userx

drwxr-xr-x 3 userx userx

SELinux security contexts:

Fedora Core 3 and Red Hat Enterprise Linux 4 introduced SELinux (Security Enhanced Linux) security policies and context labels

To view the security context labels applied to your web page files use the command: ls -Z

The system enables/disables SELinux policies in the file /etc/selinux/config

SELinux can be turned off by setting the directive SELINUX (Then reboot the system):

or using the command setenforce 0 to temporarily disable SELinux until the next reboot

When using SELinux security features, the security context labels must be added so that Apache can read your files The default security context label used is inherited from the directory for newly created files Thus a copy (cp) must be used and not a move (mv) when placing files in the content directory Move does not create a new file and thus the file does not recieve the directory security context label The context labels used for the default Apache directories can be viewed with the command: ls -Z /var/www

The web directories of users (i.e public_html) should be set with the appropriate context label (httpd_sys_content_t)

Assign a security context for web pages: chcon -R -h -t httpd_sys_content_t /home/user1/public_html

Options:

-R: Recursive Files and directories in current directory and all subdirectories

-h: Affect symbolic links

-t: Specify type of security context

Use the following security contexts:

Set the following options: setsebool httpd-option true

(or set to false)

Then restart Apache:

Red Hat/Fedora/Suse and all System V init script based Linux systems: /etc/init.d/httpd restart

Red Hat/Fedora: service httpd restart

The default SE boolean values are specified in the file: /etc/selinux/targeted/booleans

For more on SELinux see the YoLinux Systems Administration tutorial

Configuring a "name based" virtual host:

<Directory /home/user1/public_html>

AllowOverride None

order allow,deny

allow from all

Options Indexes Includes FollowSymLinks

</Directory>

SELINUX=disabled

Context Type Description

httpd_sys_content_t Used for static web content i.e HTML web pages

httpd_sys_script_exec_tUse for executable CGI scripts or binary executables

httpd_sys_script_rw_t CGI is allowed to alter/delete files of this context

httpd_sys_script_ra_t CGI is allowed to read or append files of this context

httpd_sys_script_ro_t CGI is allowed to read files and directories of this context

httpd_enable_cgi Allow httpd cgi support

httpd_enable_homedirs Allow httpd to read home directories

httpd_ssi_exec Allow httpd to run SSI executables in the same domain as system CGI scripts

A virtual host configuration allows one to host multiple web site domains on one server (This is not required for a dedicated linux server which hosts a single web site.)

Notes:

You can specify more than one IP address i.e if web server is also being used as a firewall/gateway and you have an external internet IP address aswell as a local network IP address

See the YoLinux Tutorial on configuring a network gateway/firewall using iptables and NAT

Use your IP address for XXX.XXX.XXX.XXX, actual domain name and e-mail address

One can use DNS views to provide different local network DNS results

Note that I configure Apache for both requests http://www.domain-name.com and http://domain-name.com

Once virtual hosts are configured, your default system domain (/var/www/html) will stop working Your default domain now must be configured as a virtual domain

Forwarding to a primary URL It is best to avoid the appearance of duplicated web content from two URLs such as http://www.your-domain.com and http://your-domain.com Supply a forwarding Apache "Redirect"

Note:

This is to avoid Google ranking penalties See the Yolinux.com discussion on Google's suplemental index

See the YoLinux.com Apache "Redirect" Tutorial

More virtual host examples

When specifying more domains, they may all use the same IP address or some/all may use their own unique IP address Specify a "NameVirtualHost" for each IP address

After the Apache configuration files have been edited, restart the httpd daemon: /etc/rc.d/init.d/httpd restart (Red Hat) or /etc/init.d/apache2 restart(Ubuntu / Debian)

Apache virtual domain configuration with Ubuntu 6.06 Dapper:

Ububntu separates out each virtual domain into a separate configuration file held in the directory /etc/apache2/sites-available/ When the site domain is to become active, a soft link is created to the directory /etc/apache2/sites-enabled/

Example: /etc/apache2/sites-available/supercorp

NameVirtualHost XXX.XXX.XXX.XXX

<VirtualHost XXX.XXX.XXX.XXX>

ServerName www.your-domain.com - CNAME (bind DNS alias www) specified in Bind configuration file (/var/named/ )

ServerAlias your-domain.com - Allows requests by domain name without the "www" prefix

ServerAdmin user1@your-domain.com

DocumentRoot /home/user1/public_html

ErrorLog logs/your-domain.com-error_log

TransferLog logs/your-domain.com-access_log

Enable domain:

Create soft link:

Manually: ln -s /etc/apache2/sites-available/supercorp /etc/apache2/sites-enabled/supercorp

Use Ubuntu scripts a2ensite/a2dissite Type command and it will prompt you as to which site you would like to enable or disable

Also note that Apache modules can also be enabled/disabled with scripts a2enmod/a2dismod

CGI: (Common Gateway Interface)

CGI is a program executable which dynamically generates a web page by writing to stdout CGI is permitted by either of two configuration file directives:

ScriptAlias:

Red Hat 7.x-9, Fedora core: ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"

Red Hat 6.x and older: ScriptAlias /cgi-bin/ "/home/httpd/cgi-bin/"

Suse 9.x: ScriptAlias /cgi-bin/ "/srv/www/cgi-bin/"

Ubuntu (dapper 6.06) / Debian: ScriptAlias /cgi-bin/ "/usr/lib/cgi-bin/"

or

Options +ExecCGI:

The executable program files must have execute privileges, executable by the process owner (Red Hat 7+/Fedora Core: apache Older use nobody) under which the httpd daemon is being run

Configuring CGI To Run With User Privileges:

The suEXEC feature provides Apache users the ability to run CGI and SSI programs under user IDs different from the user ID of the calling web-server Normally, when a CGI or SSI program executes, it runs as the same user who is running the web server

Configuring an "IP based" virtual host:

One may assign multiple IP addresse to a single network interface See the YoLinux networking tutorial: Network Aliasing Each IP address may then be it's

Options Indexes FollowSymLinks MultiViews

IndexOptions SuppressLastModified SuppressDescription

# Possible values include: debug, info, notice, warn, error,

# crit, alert, emerg

ServerName node1.your-domain.com - Allows requests by domain name without the "www" prefix

ServerAlias your-domain.com www.your-domain.com - CNAME (alias www) specified in Bind configuration file (/var/named/ )

ServerAdmin user1@your-domain.com

DocumentRoot /home/user1/public_html/your-domain.com

ErrorLog logs/your-domain.com-error_log

TransferLog logs/your-domain.com-access_log

SuexecUserGroup user1 user1

<Directory /home/user1/public_html/your-domain.com/>

Options +ExecCGI +Indexes

AddHandler cgi-script cgi

</Directory>

</VirtualHost>

own virtual server and individual domain The downside of the "IP based" virtual host method is that you have to possess multiple/extra IP addresses This usually costs more The standard name based virtual hosting method above is more popular for this reason

The default <VirtualHost *> block will be used as the default for all IP addresses not specified explicitly This default IP (*) may not work for https URL's

ERROR Pages:

You can specify your own web pages instead of the default Apache error pages:

Create the file Error404-missing.html in your "DocumentRoot" directory

PHP:

If the appropriate php, perl and httpd RPM's are installed, the default Red Hat Apache configuration and modules will support PHP content RPM Packages (RHEL4):

php: HTML-embedded scripting language

php-pear: PEAR is a framework and distribution system for reusable PHP components

php-mysql: MySQL database support

php-ldap: Lightweight Directory Access Protocol (LDAP) support

Apache configuration:

Add php default page index.php to apache config file: /etc/httpd/conf/httpd.conf

PHP Configuration File:

RHEL4 - PHP 4.3: /etc/php.ini

Ubuntu Daper 6.06/6.11: /etc/php5/apache2/php.ini

Small portion of file shown

Note that changes will not take effect until the apache web server daemon is restarted

Test you PHP capabilities with this test file: /home/user1/public_html/test.php

OR (older format)

Test: http://localhost/~user1/test.php

For more info see YoLinux list of PHP information web sites

NameVirtualHost * - Indicates all IP addresses

Running Multiple instances of httpd:

The Apache web server daemon (httpd) can be started with the command line option "-f" to specify a unique configuration file for each instance Configure a unique

IP address for each instance of Apache See the YoLinux Networking Tutorial to specify multiple IP addresses for one NIC (Network Interface Card) Use the Apache configuration file directive Listen XXX.XXX.XXX.XXX, where the IP address is unique for each instance of Apache

Apache Man Pages:

httpd - Apache Hypertext Transfer Protocol Server

apachectl - Apache HTTP Server Control Interface

ab - Apache HTTP server benchmarking tool

htdigest - manage user files for digest authentication

htpasswd - Manage user files for basic authentication

logresolve - Resolve IP-addresses to hostnames in Apache log files

rotatelogs - Piped logging program to rotate Apache logs

Also see the local online Apache configuration manual: http://localhost/manual/

Apache Red Hat / Fedora Core GUI configuration:

GUI configuration tool:

Fedora Core 2/3/4: /usr/bin/system-config-httpd

Red Hat 8/9, Fedora Core 1: /usr/bin/redhat-config-httpd

Adding web site login and password protection: See the YoLinux tutorial on web site password protection

Log file analysis:

Scanning the Apache web log files will not provide meaningfull statistics unless they are graphed or presented in an easy to read fashion The following packages to

a good job of presenting site statistics

Analog - Also see Report Magic for Analog

Webalizer

AWStats - (requires PERL)

Web site statistic services:

eXTReMe Tracking

Load testing your server:

PureLoad - JAVA load testing and reporting tool

WebPerformance Trainer - Load Testing Tools

Apache Links:

CgiWrap - setuid wrapper that allows users to install and execute their own cgi scripts that get executed as their own userid

Thumbprint - CGI for viewing a directory of images as thumbnails

WWWThreads.org - Commercial product - Advanced Web Conferencing Software

Configuring https (mod_ssl):

Mod_SSL.org: Home Page

Mod_SSL.org: Mod_SSL HowTo

Mod_SSL.org: Steps to create SSL server certificate

Print performance stats for home page of yourdomain.com: httperf hog server www.yourdomain.com

Create 100 connections at a rate of 10/sec: httperf hog server http://www.yourdomain.com/ num-conn 100 rate 10 timeout 5

Generate 10 sessions at a rate of i seesion/sec every 2 seconds: httperf hog ser=www wsess=10,5,2 rate 1 timeout 5

httperf command line options:

Links:

httperf home page - downloads, documentation

Man page

Other web performance measurement tools:

autobench: Perl wrapper to httperf which itterates and gathers data for each run Creates csv file for use in a spreadsheet to generate graphs

openload: Simulates number of concurrent users Measures completed requests/sec

Apache JMeter: Java app for static and dynamic performance analysis

Many FTP programs exist This example covers the popular vsftpd (Red Hat default 9.0, Fedora Core, Suse) and wu-ftpd (Washington University) program whichcomes standard with RedHat (last shipped with RedHat 8.0 but can be installed on any Linux system) (RPM: wu-ftpd) There are other FTP programs including proFtpd (supports LDAP authentication, Apache like directives, full featured ftp server software), bftpd, pure-ftpd (free BSD and optional on Suse), etc FTPd configuration tutorials:

Thus start service: service vsftpd start (or: /etc/init.d/vsftpd start)

Configure vsftpd to start upon system boot: chkconfig add vsftpd

SuSE: By default, the vsftpd is an xinetd controlled service To enable FTP server services edit the file /etc/xinetd.d/vsftpd and change:

disable = yes

to:

disable = no

Restart the xinetd daemon: /etc/init.d/xinetd restart

Note: vsftpd can also be run as a stand-alone service to achieve a faster response time

Ubuntu (dapper 6.06) / Debian:

Install: apt-get install vsftpd

Measuring Web Server Performance:

hog Use as many TCP ports as necessary to generate stats (else limited to port 1024-5000)

num-calls Session oriented workloads

max-connections=# Limit the number of connections to that specified

num-calls=# Specify the number of calls to issue on each connection before closing it

server host-name Default localhost Specify IP address of host name

wsess=N1,N2,X Specify session where

N1: number of sessions N2: number of calls per session X: delay between calls (sec) timeout Stop if there is no response within timeout period

FTPd and FTP user account configuration:

vsFTPd and FTP user account configuration:

VsFTPd is a stand alone service

 Start: /etc/init.d/vsftpd start

 Stop: /etc/init.d/vsftpd stop

For more on starting/stopping/configuring Linux services, see the YoLinux tutorial on the Linux init process and service activation

Configuration files:

vsFTPd configuration file:

Fedora Core / Red Hat: /etc/vsftpd/vsftpd.conf

S.u.S.e / Ubuntu (dapper 6.06) / Debian: /etc/vsftpd.conf

Default for Fedora Core 3:

Restart the FTP service if the config file is changed: service vsftpd restart (or: /etc/init.d/vsftpd restart)

[Potential Pitfall]: vsftp does NOT support comments on the same line as a directive i.e.:

directive=XXX # comment

vsftp.conf man page

Specify list of local users chrooted to their home directories: /etc/vsftpd/vsftpd.chroot_list

(Requires: chroot_list_enable=YES)

If userlist_enable=NO, then specify users not to be chroot'd

Specify list of users: /etc/vsftpd.user_list

(Deny list of users requires: userlist_enable=YES)

Also see PAM configuration below

anonymous_enable=YES - Anonymous FTP allowed by default if you comment this out Default directory used: /var/ftp local_enable=YES - Uncomment this to allow local users to log in with FTP

write_enable=YES - Uncomment this to enable any form of FTP write or upload command

local_umask=022 - Default is 077 Umask 022 is used by most other ftpd's

#anon_upload_enable=YES - Uncomment to allow the anonymous FTP user to upload files

Requires the above global write enabled Directory must also be writable by user

#anon_mkdir_write_enable=YES - Uncomment this to allow the anonymous FTP user to be able to create new directories dirmessage_enable=YES - Activate directory messages

Messages given to remote users when they enter certain directories

xferlog_enable=YES - Activate logging of uploads/downloads

connect_from_port_20=YES - PORT transfer connections originate from port 20 (ftp-data)

#chown_uploads=YES - Uploaded anonymous files set to a specified owner (not root)

#chown_username=whoever

#xferlog_file=/var/log/vsftpd.log - Specify logfile explicitly Default is /var/log/vsftpd.log

xferlog_std_format=YES - Output to log file in standard ftpd xferlog format

#idle_session_timeout=600 - Set timing out for an idle session

#data_connection_timeout=120 - Set timing out for an idle data connection Port 20

#nopriv_user=ftpsecure - Run ftp server as an isolated and unprivileged user

# Enable this and the server will recognise asynchronous ABOR requests Not

# recommended for security (the code is non-trivial) Not enabling it, may confuse older FTP clients

#async_abor_enable=YES

#ascii_upload_enable=YES - Improve performance by disabling ASCII mode Disables command "ascii" and "SIZE /big/file"

#ascii_download_enable=YES

#ftpd_banner=Welcome to YoLinux - Customize the login banner string

#deny_email_enable=YES - Disallow specified anonymous e-mail addresses Used to combat certain DoS attacks

userlist_enable=YES - (Default) Deny users specified in file /etc/vsftpd.user_list

If "userlist_enable=NO" then allow specified users

#deny_email_enable=YES - Disallow specified anonymous e-mail addresses Used to combat certain DoS attacks

listen=YES - Enable for standalone mode as opposed to an xinetd service

If userlist_enable=NO, then specify valid users

PAM configuration file Fedora Core 3: /etc/pam.d/vsftpd

This causes PAM to check /etc/vsftpd.ftpusers for users who are denied This duplicates /etc/vsftpd.user_list Speciy user in both files

File: /etc/vsftpd.ftpusers

Logrotate configuration file: /etc/logrotate.d/vsftpd.log

Sample vsFTPd configurations:

Anonymous download FTP server configuration: /etc/vsftpd/vsftpd.conf

Anonymous logins use the login name "anonymous" and then the user supplies their email address as a password Any password will be accepted Used

to allow the public to download files from an ftp server Generally, no upload is permitted

Web hosting configuration: /etc/vsftpd/vsftpd.conf

auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd.ftpusers onerr=succeed

auth required pam_stack.so service=system-auth

auth required pam_shells.so

account required pam_stack.so service=system-auth

session required pam_stack.so service=system-auth

anonymous_enable=YES - Turn on anonymous FTP

chown_uploads=YES - Uploaded files owned by an assigned user

chown_username=ftp - Uploaded files owned by this assigned user

local_enable=YES - Allow users to ftp to their home directories

write_enable=YES - Allow users to STOR, DELE, RNFR, RNTO, MKD, RMD, APPE and SITE

local_umask=022

# Security

connect_from_port_20=YES

force_dot_files=NO

Specify list of local users chrooted to their home directories: /etc/vsftpd/vsftpd.chroot_list

Ubuntu typically: /etc/vsftpd.chroot_list

(Requires: chroot_list_enable=YES)

If userlist_enable=NO, then specify users not to be chroot'd

[Potential Pitfall]: Mispelling a directive will cause vsftpd to fail with little warning

vsftp.conf Man page

The wu-ftpd FTP server can be downloaded (binary or source) from it's home page at http://wu-ftpd.org

There are three kinds of FTP logins that wu-ftpd provides:

anonymous FTP - one logs in with the username 'anonymous'

real FTP - log in with a real username and password and has access to the entire disk structure

guest FTP - one logs in with a real user name and password, but the user is chroot'ed to his home directory and cannot escape from it They are constrained to their home directory which also means that they don't have access to /bin/ls and other commands on the server Thus a local minimalist environment must be set up

This tutorial covers "guest" FTP configuration

The file /etc/ ftpaccess controls the configuration of ftp

guest_enable=NO - Don't remap user name

ftpd_banner=Welcome to Super Duper Hosting - Customize the login banner string

chroot_local_user=YES - Limit user to browse their own directory only

chroot_list_enable=YES - Enable list of system / power users

chroot_list_file=/etc/vsftpd.chroot_list - Actual list of system / power users

A NOTE TO USERS UPLOADING FILES:

File names may consist of letters (a-z, A-Z), numbers (0-9),

an under score ("_"), dash ("-") or period (".") only

The file name may not begin with a period or dash

[root]# netstat -a | grep ftp

tcp 0 0 *:ftp *:* LISTEN

WU-FTPd and FTP user account configuration:

# Don't allow system accounts to log in over ftp

deny-uid %-99 %65534-

deny-gid %-99 %65534-

class all real,guest *

email webmaster@your-domain.com

loginfails 5