5.6. Securing FTP
considered an insecure protocol and should be carefully configured.
 | Note |
|---|---|
Red Hat Linux 9 does not ship with the xinetd-based wu-ftpd service. However, instructions for securing it remain in this section for legacy systems. |
Red Hat Linux provides three FTP servers.
gssftpd — A kerberized xinetd-based FTP daemon which does not pass authentication information over the network.
Red Hat Content Accelerator (tux) — A kernel-space Web server with FTP capabilities.
vsftpd — A standalone, security oriented implementation of the FTP service.
The following security guidelines are for setting up the wu-ftpd and vsftpd services.
 | Warning |
|---|---|
If you activate both the wu-ftpd and vsftpd services, the xinetd-based wu-ftpd service will handle FTP connections. |
5.6.1. FTP Greeting Banner
in a system.
To change the greeting banner for vsftpd, add the following directive to /etc/vsftpd/vsftpd.conf:
ftpd_banner=<insert_greeting_here> |
Replace <insert_greeting_here> in the above directive with the text of your greeting message.
To change the greeting banner for wu-ftpd, add the following directives to /etc/ftpusers:
greeting text <insert_greeting_here> |
Replace <insert_greeting_here> in the above directive with the text of your greeting message.
/etc/banners/. The banner file for FTP connections in this example will be /etc/banners/ftp.msg. Below is an example of what such a file may look like:
| Note |
|---|---|
It is not necessary to begin each line of the file with 220 as specified in Section 5.1.1.1 TCP Wrappers and Connection Banners. |
To reference this greeting banner file for vsftpd, add the following directive to /etc/vsftpd/vsftpd.conf:
banner_file=/etc/banners/ftp.msg |
To reference this greeting banner file for wu-ftpd, add the following directives to /etc/ftpusers:
greeting terse banner /etc/banners/ftp.msg |
It also is possible to send additional banners to incoming connections using TCP wrappers as described in Section 5.1.1.1 TCP Wrappers and Connection Banners.
5.6.2. Anonymous Access
For both wu-ftpd and vsftpd, the presence of the /var/ftp/ directory activates the anonymous account.
The easiest way to create this directory is to install the vsftpd
| Note |
|---|---|
For releases before Red Hat Linux 9, you must install the anonftp package to create the /var/ftp/ directory. |
By default the anonymous user cannot write to any directories.
 | Caution |
|---|---|
If enabling anonymous access to an FTP server, be careful where you store sensitive data. |
5.6.2.1. Anonymous Upload
If you want to allow anonymous users to upload, it is recommended you create a write-only directory within /var/ftp/pub/.
To do this type:
mkdir /var/ftp/pub/upload |
Next change the permissions so that anonymous users cannot see what is within the directory by typing:
chmod 730 /var/ftp/pub/upload |
A long format listing of the directory should look like this:
drwx-wx--- 2 root ftp 4096 Feb 13 20:05 upload |
| Warning |
|---|---|
Additionally, under vsftpd, add the following line to /etc/vsftpd/vsftpd.conf:
anon_upload_enable=YES |
5.6.3. User Accounts
To disable user accounts in wu-ftpd, add the following directive to /etc/ftpusers:
deny-uid * |
To disable user accounts in vsftpd, add the following directive to /etc/vsftpd/vsftpd.conf:
local_enable=NO |
5.6.3.1. Restricting User Accounts
The easiest way to disable a specific group of accounts, such as the root user and those with sudo privileges from accessing an FTP server is to use a PAM list file as described in Section 4.4.2.4 Disabling Root Using PAM. The PAM configuration file for wu-ftpd is /etc/pam.d/ftp. The PAM configuration file for vsftpd is /etc/pam.d/vsftpd.
It is also possible to perform this test within each service directly.
To disable specific user accounts in wu-ftpd, add the username to /etc/ftpusers:
To disable specific user accounts in vsftpd, add the username to /etc/vsftpd.ftpusers:
5.6.4. Use TCP Wrappers To Control Access
You can use TCP wrappers to control access to either FTP daemon as outlined in Section 5.1.1 Enhancing Security With TCP Wrappers.
5.6.5. Use xinetd To Control the Load
If using wu-ftpd, you can use xinetd to control the amount of resources the FTP server consumes and to limit the effects of denial of service attacks. See Section 5.1.2 Enhancing Security With xinetd for more on how to do this.
| Главная |