Securing the FTP service on HP-UX: Introduction to the ftpaccess file
By Chris Wong


In the past there were only a few supported configuration options available for configuring the File Transfer Protocol (FTP) service on HP-UX. Today, HP-UX supports additional security methods developed by the Washington University in St. Louis. System administrators are familiar with using the /var/adm/inetd.sec file to allow or deny access based on hostname or IP address. The use of the ftpusers file is also commonly used to maintain a list of users who are denied access to the FTP daemon. This list usually consists of system users, such as root. On HP-UX 11i and on patched versions of HP-UX 11, several new files are available for the configuration and security of FTP.


The FTP configuration file is the ftpaccess file. It resides in the /etc/ftpd directory. If you do not currently have one, make a copy from the one located in the newconfig directory:


On HP-UX 11:

# cp /usr/newconfig/etc/ftpd/ftpaccess /etc/ftpd/ftpaccess

On HP-UX 11i:

# cp /usr/newconfig/etc/ftpd/examples/ftpaccess /etc/ftpd/ftpaccess


The FTP daemon will not use the configuration file until the /etc/inetd.conf file is edited to include the following:


ftp      stream tcp nowait root /usr/lbin/ftpd ftpd    -a /etc/ftpd/ftpaccess


Replacing the lowercase “a” with the uppercase “A” will disable the use of the FTP configuration file.  For the Internet Daemon to read this new configuration setting, you must run inetd with the “-c” option. (inetd –c). The following are examples of a few of the options available in the configuration file:




          noretrieve /etc/passwd /etc/group core .netrc .rhosts


            Files listed after the noretrieve option are files that cannot be retrieved with FTP.  When only the file name is specified (as with core, .netrc, and .rhosts), then no files on the system with that name can be retrieved. When the full pathname is used (as in /etc/passwd and /etc/group), that specific file cannot be retrieved. In this example, /etc/passwd could not be retrieved but a file named /tmp/passwd or /etc/passwd.old could be retrieved.




          deny ctg500g /etc/ftpd/ctg500g_denymsg


            The deny option is used to deny access to a particular host or a group of hosts. In addition, a message can be displayed to the client attempting FTP access. The “!nameserved” parameter can also be used as the hostname to prohibit access to sites who do not have a working nameserver.  Note that the parameter ends in “d”, not “r”.




          loginfails 2


          The loginfails option is used to limit the number of FTP login attempts before the connection is terminated. The default value is 5.




          banner           /etc/ftpd/banner_msg


          This displays a banner to the client prior to the name prompt.




          message /home/ftp/etc/message_msg        login


          The contents of the message file are displayed to the client after successful login. You may note that I placed this message file in a different directory. The message file must be placed in a directory that grants the client execute access. The permissions on the /etc/ftpd directory do not allow the client (other) execute access. However, the /home/ftp/etc directory does, so I placed the message file here. The sample ftpaccess file uses the /etc/msgs directory, this directory is not automatically created.  The banner file can be placed in the /etc/ftpd directory since it is the FTP daemon that is reading this file, not the client (they have yet to login). The minimum file permissions on the message file are 444.


          The message option has additional parameters that can be used with it. The message file can contain what is known as “macros” or “magic cookies”. Basically, these are variables for information such as the local date/time and the local host name. There are several variables available.  In the following example, 3 of these variables are used in the message_msg file:


Hello %U from %R.

The current time is %T

          Service will be down for maintenance on Sunday.


          The following is displayed to the user named user100 from a host named ctg800:


230-Hello user100 from ctg800.

          230-The current time is Wed Jan 22 16:49:42 2002

          230-Service will be down for maintenance on Sunday








          readme          /home/ftp/pub/filex   login


          When the file exists, the user is told when it was last modified.


          These few examples are just some of the many options available. They can all be viewed by reading the man page for ftpd. (man 4 ftpd). One of the parameters that is available to use with many of the options is called class. A class is a grouping of hosts.  At the beginning of the ftpaccess file you should define the classes. In the following example, a class named “prod” is created. This class is for the production servers.


          class   prod    real     ctg700 ctg701


          The entry “real” describes the type of users. Anonymous, guest, and real are the three types of FTP users. Following the user type is the list of members. In this example there are two hosts in the prod class. Now that we have created a class, let’s see how we can use it with the message option:




          message        /home/ftp/etc/message_prodmsg  login   prod


            When an option supports a class, only the listed class(es) use the option. Each option can have multiple entries. In the above example, the message (message_prodmsg) is only displayed to clients who connect from either of the production boxes (ctg700 or ctg701). Note that the name of the message was changed to include the name of the class. You will want to do this since you can have multiple message statements using different classes. Let’s look at another option:




          limit    prod   2         Any     /home/ftp/etc/limit_prodmsg


          The limit option grants the administrator the ability to limit the number of FTP sessions. When the class option is used, the limit can be assigned per class. In this example we are limiting the production class to 2 concurrent FTP sessions. The “Any” refers to “Any week day”.  Limits can be set for various days and times. For example, Fr0900-1700, can be used for Friday between 9:00AM and 5:00PM. A value of –1 indicates unlimited sessions. That value can be used to allow unlimited FTP access during certain hours and a 0 value could be used with another limit entry for hours when FTP access is not wanted.


When creating classes the order is important. A host can only belong to one class. The first class it can become a member of will be its class. If you are unsure of which class a host is assigned to, simply create a message entry for each class. In the message text state the class name.


Next time we will go over additional features of the ftpaccess file as well as the ftphosts and ftpgroups files.


Chris Wong is a technical consultant and trainer based in Bellevue, WA. She is the author of the HP Press book HP-UX 11i Security.

All Rights Reserved, Copyright 2000 - 2002, TechTarget is a search service provided by TechTarget and is completely
independent of and not affiliated with Hewlett-Packard Company.