The File Transport Protocol, or
FTP, is an older TCP protocol designed to
transfer files over a network. Because all transactions with the
server, including user authentication, are unencrypted, it is
considered an insecure protocol and should be carefully
configured.
Red Hat Enterprise Linux provides three FTP servers.
-
gssftpd — A kerberized xinetd-based FTP daemon which does not pass
authentication information over the network.
-
Red Hat Content Accelerator
(tux) — A kernel-space Web server
with FTP capabilities.
-
vsftpd — A standalone, security
oriented implementation of the FTP service.
The following security guidelines are for setting up the
vsftpd FTP service.
Before submitting a username and password, all users are
presented with a greeting banner. By default, this banner includes
version information useful to crackers trying to identify
weaknesses in a system.
To change the greeting banner for vsftpd, add the following directive to the
/etc/vsftpd/vsftpd.conf file:
ftpd_banner=<insert_greeting_here>
|
Replace <insert_greeting_here> in the above
directive with the text of the greeting message.
For mutli-line banners, it is best to use a banner file. To
simplify management of multiple banners, place all banners in a new
directory called /etc/banners/. The
banner file for FTP connections in this example is /etc/banners/ftp.msg. Below is an example of what
such a file may look like:
####################################################
# Hello, all activity on ftp.example.com is logged.#
####################################################
|
To reference this greeting banner file for vsftpd, add the following directive to the
/etc/vsftpd/vsftpd.conf file:
banner_file=/etc/banners/ftp.msg
|
It also is possible to send additional banners to incoming
connections using TCP wrappers as described in Section 5.1.1.1 TCP
Wrappers and Connection Banners.
The presence of the /var/ftp/
directory activates the anonymous account.
The easiest way to create this directory is to install the
vsftpd package. This package sets a
directory tree up for anonymous users and configures the
permissions on directories to read-only for anonymous users.
By default the anonymous user cannot write to any
directories.
 |
Caution |
| |
If enabling anonymous access to an FTP server, be aware of where
sensitive data is stored.
|
To allow anonymous users to upload, it is recommended that a
write-only directory be created within /var/ftp/pub/.
To do this, type:
mkdir /var/ftp/pub/upload
|
Next change the permissions so that anonymous users cannot see
what is within the directory by typing:
chmod 730 /var/ftp/pub/upload
|
A long format listing of the directory should look like
this:
drwx-wx--- 2 root ftp 4096 Feb 13 20:05 upload
|
 |
Warning |
| |
Administrators who allow anonymous users to read and write in
directories often find that their servers become a repository of
stolen software.
|
Additionally, under vsftpd, add the
following line to the /etc/vsftpd/vsftpd.conf file:
Because FTP passes unencrypted usernames and passwords over
insecure networks for authentication, it is a good idea to deny
system users access to the server from their user accounts.
To disable user accounts in vsftpd, add
the following directive to /etc/vsftpd/vsftpd.conf:
The easiest way to disable a specific group of accounts, such as
the root user and those with sudo
privileges, from accessing an FTP server is to use a PAM list file
as described in Section
4.4.2.4 Disabling Root Using PAM. The PAM configuration
file for vsftpd is /etc/pam.d/vsftpd.
It is also possible to disable user accounts within each service
directly.
To disable specific user accounts in vsftpd, add the username to /etc/vsftpd.ftpusers.
