NcFTPd always listens on all the addresses (i.e. it binds to the wildcard address). It would require major work to get it to listen on two or more specific addresses while maintaining efficiency.
The recommended work-around is to have your default domain (the first one listed in the domain.cf) be a degenerate domain. Set up this domain so that the server-type=disabled. Then be sure to have regular domain entries following the default domain, so that the domains you wish to have access are ready to go. Then, if users FTP to a domain you don’t want to offer FTP access, NcFTPd will reply with a "Sorry, logins are not allowed here" message.
If you want to listen on exactly one address, an alternative solution is to use the single-server-address option. This option is a general.cf option (so it applies globally) which means you must have exactly one domain in the domain.cf which configures your single IP address you want to listen on.
Yes. Just set up each IP address as a separate “domain” in the domain.cf. For testing, it's often useful to have one domain entry be the IP address of an ethernet adapter, and another be the IP address of the loopback (127.0.0.1).
NcFTPd can limit connections from the same IP address, using the max-users-per-ip option.
You can experiment with make the user’s privileges so that the user does
not have read permission on the directories you want to hide, but doing that
breaks a lot of FTP clients.
This is cumbersome to do, if you really must. One reason you might want to do that is so you can make the user agree to a license agreement before you let them download, and you don’t want them to bookmark the URL and give it to their friends and have them download the file without having read the license agreement on your web site.
Here’s how you can do this. First, here is the sample directory structure:
$ /bin/ls -laR .: total 56 drwxr-xr-x 14 root root 4096 Feb 7 06:21 . drwxr-xr-x 20 root root 4096 Jan 30 15:46 .. d--x--x--x 3 root root 4096 Feb 7 06:24 private private: total 12 d--x--x--x 3 root root 4096 Feb 7 06:24 . drwxr-xr-x 14 root root 4096 Feb 7 06:21 .. drwxr-xr-x 2 root root 4096 Feb 7 06:23 obfuscated_dir lrwxrwxrwx 1 root root 14 Feb 7 06:24 tmp_qrxt7zw -> obfuscated_dir private/obfuscated_dir: total 20 drwxr-xr-x 2 root root 4096 Feb 7 06:23 . d--x--x--x 3 root root 4096 Feb 7 06:24 .. -rw-r--r-- 1 root root 11258 Feb 7 06:23 myfile.zip
First, note that there is a “private” directory which is mode 111 (traversable, but not readable nor writable).
Inside that directory is a directory called “obfuscated_dir”, which contains the file (myfile.zip) that you want to restrict access to. There is also a symbolic link named “tmp_qrxt7zw”, which is a temporary link.
The trick is to have your CGI program on the web server create the randomly-named symbolic link to “obfuscated_dir”, and then have your CGI have the user download the file whose URL uses the temporary symbolic link, such as ftp://www.example.com/private/tmp_qrxt7zw/myfile.zip.
Finally, setup a cron job which removes old links and then you can ensure that even if the user remembers the URL before, they won’t be able to download the file since the link should have been purged by the cron job.
Users using a regular FTP client cannot access the file, unless they know the
name of the obfuscated directory, since the “private” directory is
As high as your system supports. The first problem you may run into, especially if you’re running on Solaris (i.e. it errs out when you use max-users > 300), is that you may run out of shared memory space, but you can increase this limit by tuning your kernel.
As a rule of thumb, (M – 32) * 2 is an approximate maximum number of users you can run under NcFTPd, where M represents the amount of physical RAM on the machine in megabytes (do not include virtual memory!). So, if you have 512 MB of RAM, a practical max-users would be about 960 if you weren’t doing anything but FTP. If you really plan on pushing the envelope of your machine’s capabilities, you should experiment with your particular configuration to arrive at the correct number for your machine. It would be a big mistake to just set an arbitrary number without you having verified yourself (it’s your ass, remember!) that the machine can handle the load.
No; symbolic links are not allowed outside the home directory, period.
You can use symbolic links inside their directory, but they can’t use
Currently NcFTPd hides files
that begin with a period from anonymous users, but not for regular users.
There isn’t a configuration option to change this behavior.
Currently you can't do this, if you're letting NcFTPd do special handling of the incoming directories (a-allow-incoming=yes). You could do incoming directories the old-fashioned way (with a-allow-incoming=no and a-write-permission=yes), but you'd be losing more benefits than you'd gain.
The early versions of NcFTPd could run as “ftp” since the server did not support regular user logins (anonymous only). Current versions require that NcFTPd switch back and forth from root to user privileges, so it is not feasible to run except as root.
The File Transfer Protocol and firewalls do not co-exist well. Luckily, firewalls, NAT devices, load-balancers, and proxies are handling FTP and its quirks better each year. Please see our article titled "The FTP and Your Firewall / NAT / Load-Balancing Router" for details on the problems and what you can do about them.
The best way is to not configure NcFTPd, and instead let your FTP server machine's operating system manage how ephemeral ports are allocated. This will give you the best performance and highest reliability for passive data connections. To do that, see our article "The Ephemeral Port Range" for details on how to do this.
You can also have NcFTPd do
this, using the
No matter which way you configure it, the range must be a minimum size of 2000 ports (i.e. don't think you can open up 10 ports on the firewall for FTP).