Follow Techotopia on Twitter

On-line Guides
All Guides
eBook Store
iOS / Android
Linux for Beginners
Office Productivity
Linux Installation
Linux Security
Linux Utilities
Linux Virtualization
Linux Kernel
System/Network Admin
Programming
Scripting Languages
Development Tools
Web Development
GUI Toolkits/Desktop
Databases
Mail Systems
openSolaris
Eclipse Documentation
Techotopia.com
Virtuatopia.com
Answertopia.com

How To Guides
Virtualization
General System Admin
Linux Security
Linux Filesystems
Web Servers
Graphics & Desktop
PC Hardware
Windows
Problem Solutions
Privacy Policy

  




 

 

Securing and Optimizing Linux: RedHat Edition -A Hands on Guide
PrevChapter 32. Linux FTP ServerNext

32.9. Securing FTP

The ftpusers file. It's important to ensure that you have set up the file /etc/ftpusers which specifies those users that are NOT allowed to connect to your FTP server. This should include, as a MINIMUM, the following entries: root, bin, daemon, adm, lp, sync, shutdown, halt, mail, news, uucp, operator, games, nobody and ALL other default vendor supplied accounts available in your /etc/passwd file.

The anonymous FTP program. To disable anonymous FTP, remove the anonymous user ftp from your password file and verify that anonftp-version.i386.rpm package is not installed on your system.

To remove the user ftp from your password file, use the following command: 
        [root@deep ] /# userdel ftp
To verify that the RPM package of anonymous FTP program is not installed on your Linux system, use the following command: 
        [root@deep ] /# rpm -q anonftp
      

        package anonftp is not installed

The upload command. By default, the Wu-ftpd server will grant upload privileges to all users. The upload parameter allow remote clients to load and place files on the FTP server. For optimal security, we don't want users being able to upload into bin, etc, dev, and lib subdirectories in the /home/ftp directory. In our /etc/ftpaccess file we have already chroot'd users to /home/ftp and they cannot access any area of the filesystem outside that directory structure, but in case something happens to the permissions on them you should deny upload privileges in your /etc/ftpaccess file into these areas; /home/ftp/, /home/ftp/bin, /home/ftp/etc, /home/ftp/dev, and /home/ftp/lib.

Edit the ftpaccess file, vi /etc/ftpaccess and add the following lines to deny upload privileges into these areas. 
        # We don't want users being able to upload into these areas.
        upload /home/ftp/* /    no
        upload /home/ftp/* /etc no
        upload /home/ftp/* /dev no
        upload /home/ftp/* /bin no   (1)
        upload /home/ftp/* /lib no   (2)

(1)
Require only if you are not using the --enable-ls option.
(2)
Require only if you are not using the --enable-ls option.
The above lines specify to deny upload into the /, /etc, /dev, /bin and /lib directories of the chroot'd /home/ftp directory structure.

PrevHomeNext
FTP Administrative ToolsUpThe special file .notar
  
 
  Published under the terms of the Open Publication License Design by Interspire