Mac OS X Unleashed

By John Ray and William C. Ray

• Table of Contents
  • Copyright
  • About the Author
  • Acknowledgments
  • Tell Us What You Think!
  • Introduction
  • Part I: Introduction to Mac OS X
  • Chapter 1. Mac OS X Component Architecture
  • Chapter 2. Installing Mac OS X
  • Chapter 3. Mac OS X Basics
  • Chapter 4. The Finder: Working with Files and Applications
  • Chapter 5. Running Classic Mac OS Applications
  • Part II: Inside Mac OS X
  • Chapter 6. Native Utilities and Applications
  • Chapter 7. Internet Communications
  • Chapter 8. Installing Third-Party Applications
  • Part III: User-Level OS X Configuration
  • Chapter 9. Network Setup
  • Chapter 10. Printer and Font Management
  • Chapter 11. Additional System Components
  • Part IV: Introduction to BSD Applications
  • Chapter 12. Introducing the BSD Subsystem
  • Chapter 13. Common Unix Shell Commands: File Operations
  • Part V: Advanced Command-Line Concepts
  • Chapter 14. Advanced Shell Concepts and Commands
  • Chapter 15. Command-Line Applications and Application Suites
  • Chapter 16. Command-Line Software Installation
  • Chapter 17. Troubleshooting Software Installs, and Compiling and Debugging Manually
  • Chapter 18. Advanced Unix Shell Use: Configuration and Programming (Shell Scripting)
  • Part VI: Server/Network Administration
  • Chapter 19. X Window System Applications
  • Chapter 20. Command-Line Configuration and Administration
  • Chapter 21. AppleScript
  • Chapter 22. Perl Scripting and SQL Connectivity
  • Chapter 23. File and Resource Sharing with NetInfo
  • Chapter 24. User Management and Machine Clustering
  • Chapter 25. FTP Serving
    • Turning On the FTP Server
    • Available Options in the FTP Server
    • Setting Up Anonymous FTP
    • Using wu-ftpd as a Replacement for the Default ftpd
    • Alternatives to FTP
    • Summary
  • Chapter 26. Remote Access and Administration
  • Chapter 27. Web Serving
  • Part VII: Server Health
  • Chapter 28. Web Programming
  • Chapter 29. Creating a Mail Server
  • Chapter 30. Accessing and Serving a Windows Network
  • Chapter 31. Server Security and Advanced Network Configuration
  • Chapter 32. System Maintenance
  • Appendix A. Command-Line Reference
  • Appendix B. Administration Reference

Alternatives to FTP

As we have mentioned, turning on the FTP server makes your machine more vulnerable to attacks from the outside. There are other, more secure options you could consider using as alternatives to FTP.

scp and sftp

If you turn on the SSH server, two alternatives become available. You could transfer files either with secure copy (scp) or secure FTP (sftp). Transfers made using scp or sftp are encrypted, thereby providing an extra level of security. With FTP, passwords are transmitted in clear text, adding yet another vulnerability to FTP itself.

With the SSH server turned on, you will be able to transfer files to other machines running SSH servers. Likewise, those machines will be able to transfer files to your machine using scp or sftp. In addition, there is a freely available Mac OS client that has built-in scp capabilities. For PCs, there is a client which has a built-in sftp client. Running SSH removes almost any need for an FTP server. We will discuss SSH in detail in Chapter 26, "Remote Administration."

FTP and SSH

As you might recall, the wu-ftpd can be built as an anonymous-only FTP server. If your real users are transferring files via scp or sftp, but you still have a need to distribute files to anonymous users, you might then consider compiling an anonymous-only FTP server and running that alongside your SSH server.

Regularly checking the anonymous FTP area for any irregularities and keeping your wu-ftpd current are still important activities to do.

Tunneling FTP over SSH

If, for whatever reason, running the SSH server is not sufficient to meet your users' needs, you could further exploit wu-ftpd's configurability by creating a real users–only FTP server, using the --disable-anonymous compile-time option. In addition, you will probably need the --disable-pasvip option to get the tunneling to function properly. Then you could have your users tunnel their FTP connections to the FTP server via SSH. In the next chapter, we will discuss in detail how to set up a client to tunnel an FTP connection.

To make tunneling work on the server side, you have to wrap the FTP server to accept connections only from itself. The easiest way to set up the restriction is to make use of the TCP Wrappers program that comes with the OS X distribution.

In a FreeBSD-style /etc/hosts file, you would do this with this syntax:

in.ftpd: <machine-IP> 127.0.0.1 localhost: allow
in.ftpd: deny

If you also need to have an anonymous FTP server running, you could build one anonymous-only FTP server running on the standard FTP ports (21 for ftp, 20 for ftp-data). As you have seen, you don't need to edit anything anywhere to run an FTP server on the standard ports. Then you could build a real users-only FTP server and run it on an alternative set of ports. For ease of administration, it is a good idea to have each FTP server installed in a distinctly separate location. For example, you could install your anonymous FTP server in /usr/local/ftp and your real users FTP server in /usr/local/wuftp. Pick a close set of unused port numbers. Edit the services directory of the NetInfo database to include the alternative services. You could call them something like wuftp and wuftp-data. Whichever port number you assign to the wuftp service is the one that the client would tunnel. Name the alternative FTP server itself something similar to the service name, such as wuftpd. It will automatically be installed as in.ftpd in whatever location you specify, but you can rename that file. Then wrap the alternative FTP server to only itself, but allow the anonymous FTP server access to all machines.

If you also decide to run OS X's built-in firewall, ipfw, you will have to add statements to allow ipfw to grant access to the alternative FTP server. In addition, set the pa s sive ports control to the ftpaccess file to a range of ports, such as 15001–19999. Then add a statement to the rules for ipfw to allow access to whatever range of ports you specfied with passive ports. You might find that you have to keep tweaking your ipfw, and anonymous and real FTP configurations, until everything works in harmony. Be sure to check your logs as you are doing this. They are more informative than you might realize now.

Don't worry if the wrapping concept or ipfw seems confusing right now. Use of TCP Wrappers and ipfw is discussed in Chapter 31. These details are mentioned here so that you can quickly find a summary of the important information about running two FTP servers in one place. Shortly, scp and sftp should suit most of your needs. We recommend that, where possible, you use scp and sftp instead of running an FTP server.

If you decide to run the types of FTP servers suggested in this section, you might find that guest accounts do not work.

Share This