NcFTPd : Frequently Asked Questions : Configuration

 

NcFTPd seems to listen on all IP addresses for the machine.  Can I configure NcFTPd so it only listens on certain addresses?

NcFTPd always listens on all the addresses (i.e. it binds to the wildcard address).  It would require major work to get it to listen on two or more specific addresses while maintaining efficiency.

The recommended work-around is to have your default domain (the first one listed in the domain.cf) be a degenerate domain.  Set up this domain so that the server-type=disabled.  Then be sure to have regular domain entries following the default domain, so that the domains you wish to have access are ready to go. Then, if users FTP to a domain you don’t want to offer FTP access, NcFTPd will reply with a "Sorry, logins are not allowed here" message.

If you want to listen on exactly one address, an alternative solution is to use the single-server-address option. This option is a general.cf option (so it applies globally) which means you must have exactly one domain in the domain.cf which configures your single IP address you want to listen on.

Can NcFTPd utilize two or more networking interfaces in a multi-homed machine?

Yes.  Just set up each IP address as a separate “domain” in the domain.cf.  For testing, it's often useful to have one domain entry be the IP address of an ethernet adapter, and another be the IP address of the loopback (127.0.0.1).

What’s a good way to prevent the same user from logging in 10 times and hogging 10 connections to himself?

NcFTPd can limit connections from the same IP address, using the max-users-per-ip option.

How do I disable “ls” so a user can’t browse the directory structure?

You can experiment with make the user’s privileges so that the user does not have read permission on the directories you want to hide, but doing that breaks a lot of FTP clients.  

How do I force a user to use a web browser rather than an FTP client? I don’t want them to be able to access the same file once they know where it is on the server.

This is cumbersome to do, if you really must.  One reason you might want to do that is so you can make the user agree to a license agreement before you let them download, and you don’t want them to bookmark the URL and give it to their friends and have them download the file without having read the license agreement on your web site.

Here’s how you can do this.  First, here is the sample directory structure:

$ /bin/ls -laR
.:
total 56
drwxr-xr-x  14 root     root         4096 Feb  7 06:21 .
drwxr-xr-x  20 root     root         4096 Jan 30 15:46 ..
d--x--x--x   3 root     root         4096 Feb  7 06:24 private

private:
total 12
d--x--x--x   3 root     root         4096 Feb  7 06:24 .
drwxr-xr-x  14 root     root         4096 Feb  7 06:21 ..
drwxr-xr-x   2 root     root         4096 Feb  7 06:23 obfuscated_dir
lrwxrwxrwx   1 root     root           14 Feb  7 06:24 tmp_qrxt7zw -> obfuscated_dir

private/obfuscated_dir:
total 20
drwxr-xr-x   2 root     root         4096 Feb  7 06:23 .
d--x--x--x   3 root     root         4096 Feb  7 06:24 ..
-rw-r--r--   1 root     root        11258 Feb  7 06:23 myfile.zip

First, note that there is a “private” directory which is mode 111 (traversable, but not readable nor writable).

Inside that directory is a directory called “obfuscated_dir”, which contains the file (myfile.zip) that you want to restrict access to.  There is also a symbolic link named “tmp_qrxt7zw”, which is a temporary link. 

The trick is to have your CGI program on the web server create the randomly-named symbolic link to “obfuscated_dir”, and then have your CGI have the user download the file whose URL uses the temporary symbolic link, such as ftp://www.example.com/private/tmp_qrxt7zw/myfile.zip.

Finally, setup a cron job which removes old links and then you can ensure that even if the user remembers the URL before, they won’t be able to download the file since the link should have been purged by the cron job.

Users using a regular FTP client cannot access the file, unless they know the name of the obfuscated directory, since the “private” directory is unlistable. 

How high can I set my NcFTPd max-users in the general.cf?

As high as your system supports.  The first problem you may run into, especially if you’re running on Solaris (i.e. it errs out when you use max-users > 300), is that you may run out of shared memory space, but you can increase this limit by tuning your kernel.

As a rule of thumb, (M – 32) * 2 is an approximate maximum number of users you can run under NcFTPd, where M represents the amount of physical RAM on the machine in megabytes (do not include virtual memory!).  So, if you have 512 MB of RAM, a practical max-users would be about 960 if you weren’t doing anything but FTP.  If you really plan on pushing the envelope of your machine’s capabilities, you should experiment with your particular configuration to arrive at the correct number for your machine.  It would be a big mistake to just set an arbitrary number without you having verified yourself (it’s your ass, remember!) that the machine can handle the load.

Can I configure NcFTPd so that certain symbolic links are allowed that point outside of the home directory of a restricted user?

No; symbolic links are not allowed outside the home directory, period.

You can use symbolic links inside their directory, but they can’t use absolute pathnames. 

How do I hide .dotfiles from users?

Currently NcFTPd hides files that begin with a period from anonymous users, but not for regular users.  There isn’t a configuration option to change this behavior.  

How can I allow users to create directories in the /incoming directory?

Currently you can't do this, if you're letting NcFTPd do special handling of the incoming directories (a-allow-incoming=yes).  You could do incoming directories the old-fashioned way (with a-allow-incoming=no and a-write-permission=yes), but you'd be losing more benefits than you'd gain.

Can NcFTPd run as some other user rather than root?

The early versions of NcFTPd could run as “ftp” since the server did not support regular user logins (anonymous only).  Current versions require that NcFTPd switch back and forth from root to user privileges, so it is not feasible to run except as root.

How can I get my FTP server to work with my firewall?

The File Transfer Protocol and firewalls do not co-exist well.  Luckily, firewalls, NAT devices, load-balancers, and proxies are handling FTP and its quirks better each year.  Please see our article titled "The FTP and Your Firewall / NAT / Load-Balancing Router" for details on the problems and what you can do about them.

How can I configure NcFTPd to use a specific port range for passive data connections?

The best way is to not configure NcFTPd, and instead let your FTP server machine's operating system manage how ephemeral ports are allocated.  This will give you the best performance and highest reliability for passive data connections.  To do that, see our article "The Ephemeral Port Range" for details on how to do this.

You can also have NcFTPd do this, using the ephemeral-port-range option, however, this option doesn't work as efficiently or as reliably as the operating system's internal management. 

No matter which way you configure it, the range must be a minimum size of 2000 ports (i.e. don't think you can open up 10 ports on the firewall for FTP).

 

Up
 NcFTPd Home