[nycbug-talk] Anonymous ftp upload questions

[michael]

On Mon, 22 Aug 2005 10:54:34 -0400
Marco Scoffier <marco at metm.org> wrote:

> Hello all, 
> 
> I have set up an ftp server to get people to upload large files
> (images, videos).  I was debating how to do this for a while, and
> decided that because of the technical naivet? of the uploaders,
> anonymous ftp would be the way to go, I do have an http upload page
> but some large files are 750M+ and ftp at least does resume partial
> uploads.
> 
> Anyway I setup vsftpd, to allow anonymous uploads and block all
> downloads (don't want the warez kiddies using the server as a drop off
> point).  But I am getting quite a few obvious warez uploads of
> 1mbtest.ptf and space.asp which looks like a script to get the
> characteristics of the server, which won't work because there is no
> http access to the machine.
> 
> None of the uploads work, but I am kind of annoyed at these test
> uploads, but I'm thinking there is very little I can do about this. 
> Any ideas? Anyone else have a similar set up?  Would you set up a no
> privaledges account, rather than go anonymous, seems like more of a
> hassle to risk having a real user id and password, even with really
> restricted privs, going out over ftp.
> 
> Thanks,
> 
> -- 
> Marco

I run vsftp on FreeBSD, it is great stuff.  Anon is tough, I block it. 
vsftp has a lot of flexibility, why not create a single user for them to
upload?  I set their password using mysql auth, so no shell access.  You
can use vsftp to tweak their rights.

Add group to /etc/groups ftpusers:*:201:ftpsecure
1. vipw and create account including group 201, 
ftpuser:*:1007:201:User&:/usr/local/ftp/ftpuser:/nonexistent

2. create directory in /usr/local/ftp and chown to new user

3. update the password database, (using mysql auth)

4. test

Michael