Ordinarily, we have put our faith in Apple when it comes to providing secure and reliable open-source tools as part of the Mac OS X bundle. The FTP service is the exception. Here are a few reasons why. While an FTP server is bundled with the latest version of Panther, at least one well-respected commentator has noted that Apple completely broke the FTP server with a security update in September, 2004. While it was subsequently fixed, the scenario suggests that minimal, if any, testing of FTP was undertaken by Apple as new security updates were released. Given the long history of security problems with FTP services in general, this is more than a little disturbing if you enjoy a good night’s sleep. The bundled FTP server also is extremely limited in the access methods and scope of access it supports. If you want more detail, here’s a link to O’Reilly’s MacDevCenter article that will tell you more than you ever wanted to know. The final straw which has led us to support a different FTP server solution is the flawless security record of one, and only one, FTP server. Pure-FTPd comes with a default configuration which is secure and there has never been a reported buffer overflow problem with the product.
That’s the science. Now some practical advice. FTP is by definition an insecure protocol for transferring files and data. It was developed during a simpler time when the Internet was limited mostly to college professors and students who had some respect for one another. User names and passwords are sent as plain text across the big bad Internet … and so is the data. So, unless you like living dangerously and have a good backup, don’t use FTP on mission-critical systems. You also need to stop and think WHY you need FTP. If you only want to put a file repository on line and don’t need to add and delete files except when you are colocated with your server, then use this free HTTP/PHP solution by dropping these two files in a folder on your web server. Then edit the descriptions text file to describe each file in the directory inserting a tab between the file name and the description. It doesn’t get much easier than that.
If you really must use FTP, configure the server to support access with different user names and passwords than those used to log in to your Mac locally. And, speaking of logs, check your FTP logs frequently to make certain you don’t have a security problem. A missing log would be a fairly good hint that something is amiss. Finally, minimize as best you can the access provided to FTP users (including yourself) and also restrict the scope of uploads to assure that some bad guy can’t trash your machine by simply filling it up with worthless data until your hard drive gags. You can further reduce your security exposure by coupling FTP access with a secure protocol such as SSH (which we already have addressed) or FTP-SSL/TLS. The latest FTP client versions of Transmit (our personal favorite) and RBrowser both support FTP-SSL/TLS.
Installing PureFTPd. There are several ways to install PureFTPd on your Mac. As usual, we’ll opt for the easy route and use a free tool which is one of the best pieces of Mac software on the planet, PureFTPd Manager. It not only installs PureFTPd, but it also provides Rendezvous support and an incredibly simple Cocoa frontend to manage everything on your new FTP server: anonymous access, authentication methods, bandwidth usage, and much, much more. To begin, download PureFTPd Manager. Double-click on PureFTPd Manager.mpkg to begin the install from your desktop. Follow the prompts and accept all the defaults unless you’re installing on a version of Mac OS X other than Panther, v10.3. Once the installation completes, run the application from your Applications folder. Enter your admin password when prompted. Now we’ll configure your new FTP server by deciding whether to activate anonymous user access and whether to support virtual users. We’ll also configure logging and virtual hosts if you want to support them.
Anonymous and Virtual User Access. We recommend you at least configure anonymous user access. Then it can be disabled. By configuring it, PureFTPd Manager will create a folder for anonymous users and set up the necessary permissions. Leave the defaults and click Continue. We also want to set up a mechanism for adding virtual users. These are users that you create to allow FTP access only to your system. They do not have regular Mac accounts. Click Continue to set up the necessary permissions for these accounts. Check all three check boxes under Server Logging and click Continue. In the System Settings screen, leave the defaults and click Continue. Finally, click the Configure button to complete your installation. Be patient while your install is completed. It can take a minute or two so don’t get nervous and start clicking a bunch of buttons. Once the installation completes, you will be presented with the PureFTPd Manager interface. If you plan to use this software regularly, do us all a favor and send $20 to the author. It encourages more great products like this one.
Managing Your FTP Server. You can start up and shut down PureFTPd in a couple of ways. The easiest is by checking or unchecking the FTP Server option in System Preferences->Sharing. Yes, PureFTPd now has replaced the default Panther FTP server in System Preferences. You also can start and stop the server by running PureFTPd Manager from your Applications folder and clicking on the Start and Stop buttons in the Server Status screen. We recommend you turn off anonymous FTP access until you really, really need it. Click Preferences and then Anonymous. To disable uploads, check the appropriate box. To disable all anonymous access, check Disable Anonymous Access. Note that you also can control bandwidth and storage space for anonymous users. For now, just disable it. Then click Show All to return to the main Preferences menu.
Managing Virtual Users. From the Server Status screen, click on User Manager and then New to create a new virtual user for your FTP server. Assign a login name and password, specify a home directory, and click Restrict User to Home Directory. If you want to restrict the user to a specified time period for access, specify the start and end time. Otherwise, click Disabled. Under the Virtual Folders tab, you can give the user access to other folders and specify the scope of access. Under the Transfers tab, you can limit bandwidth and disk storage for this user. Under the Other tab, you can create a customized Welcome Banner and restrict IP addresses for this user.
Creating a Secure FTP Server. If you want to implement FTP-SSL/TLS support for your new server, choose Preferences then SSL/TLS Sessions. Click Create a Certificate then Go Self-Signed. Fill in ALL of the certificate entries and specify a duration for your certificate (3000 works!). Now activate TLS access by choosing either Mixed Mode (for TLS and traditional FTP access) or TLS Only (clear text sessions will be refused). Restart the FTPd daemon when prompted. Then connect using one of the FTP clients we identified above that supports TLS access. For more detailed instructions on configuration of your server, read the MacDevCenter article here.
Last But Not Least. Keep in mind that if your Mac is behind a hardware-based firewall, you will need to configure the firewall to map the FTP ports to the internal IP address of your Mac. Read the firewalling section of the PureFTPd FAQ. We covered the basics in our Going Live! article. We’ll close today with our strongest recommendation yet. Turn off FTP services except when absolutely necessary unless you are restricting your FTP access to TLS connections only with no anonymous access.
Coming Events. We’re excited as you undoubtedly are that Apple’s new Tiger operating system for the Mac is just around the corner. Just a heads up that we plan to switch gears once Tiger is released and cover all of the tutorials we’ve written about thus far focusing on what’s involved in a new Tiger install. If prior OS releases are an indicator, then Tiger will bring a few surprises. To celebrate the release, we’ll be starting with a brand-new Mac with Tiger freshly installed. And, if you haven’t noticed in the right column, we’re adding a new web site, Tiger Vittles, to focus exclusively on installation and configuration of open source applications for the new Tiger OS. We hope you’ll join us for the celebration.