41.5. Managing User Classes
The FTP server categorizes clients into classes based on their source addresses and types of login. Classification can be used in several different places in the WU-FTPD configuration to define settings that apply only to certain clients. It can also be used to block non-anonymous logins (or even all logins) from outside your network. This can be useful if you only want to allow certain trusted hosts to upload data to your server and let anyone on the Internet log in anonymously to download.
Each class has a name, a list of login types, and a list of client addresses, hostnames, or networks. Only clients that match both the login types and the addresses are considered to be in the class. If more than one class is matched, the first one is used. Clients that do not fall into any class are not allowed to use the FTP server.
The following three types of logins are recognized by WU-FTPD:
UNIX Normal UNIX users can log in via telnet or SSH and access all files on the system with their regular permissions.
Guest UNIX users who have been designated as guests. These are limited to a directory (usually their home) in the same way that anonymous users are. See Section 41.7 “Setting Up Guest Users” for more details.
Anonymous Users who log in anonymously are limited to a certain directory.
To define and edit classes using the module, follow these instructions:
1. | Click on the Users and Classes icon in the top-left corner of the module's main page. The form shown in Figure 41.2 will appear in your browser. |
2. | At the top of the page is a table labeled User classes. Each row defines a class and there will always be at least one listed already (typically the all class, which matches all clients). The table always has a single empty row at the bottom for you to add a new class. If you want to add more than one, you will need to create them one at a time. You can edit existing classes by changing their fields, or delete a class by clearing out its name field. Make sure you don't delete them all, though, as this will prevent all users from logging in. The fields for each class are: Class name A short name for this class that should consist of only letters and numbers, such as homenet or trusted. More than one row can have the same class name, and a client that matches the user type and addresses in any row will be considered a member of the class. User types The types of login that this class matches, as explained above. You must select at least one of the three checkboxes. Matching addresses This field is where you get to enter the client addresses that the class matches. You can enter single IPs (like 192.168.1.1), hostnames (like www.foo.com), wildcard IPs and hostnames (like 10.254.1.* or *.example.com), or even paths to files containing more such addresses and hostnames. Multiple entries must be separated by spaces. Negated entries like !*.foo.com are even allowed, which would match all clients whose hostnames are outside the foo.com domain. Be careful when using hostnames, as WU-FTPD must look up clients' hostnames from their IP addresses, the result of which can be faked by an attacker. |
3. |