The File Transport Protocol, or
FTP, is an older TCP protocol designed to
transfer files over a network. Because all transactions with the server,
including user authentication, are unencrypted, it is considered an
insecure protocol and should be carefully configured.
Red Hat Enterprise Linux provides three FTP servers.
gssftpd — A kerberized
xinetd-based FTP daemon which does not pass
authentication information over the network.
Red Hat Content Accelerator
(tux) — A kernel-space Web server with FTP
capabilities.
vsftpd — A standalone, security
oriented implementation of the FTP service.
The following security guidelines are for setting up the
vsftpd FTP service.
Before submitting a username and password, all users are presented
with a greeting banner. By default, this banner includes version
information useful to crackers trying to identify weaknesses in a
system.
To change the greeting banner for vsftpd, add the
following directive to the
/etc/vsftpd/vsftpd.conf file:
ftpd_banner=<insert_greeting_here> |
Replace <insert_greeting_here> in the
above directive with the text of the greeting message.
For mutli-line banners, it is best to use a banner file. To simplify
management of multiple banners, place all banners in a new directory
called /etc/banners/. The banner file for FTP
connections in this example is
/etc/banners/ftp.msg. Below is an example of what
such a file may look like:
####################################################
# Hello, all activity on ftp.example.com is logged.#
#################################################### |
To reference this greeting banner file for vsftpd,
add the following directive to the
/etc/vsftpd/vsftpd.conf file:
banner_file=/etc/banners/ftp.msg |
It also is possible to send additional banners to incoming connections
using TCP wrappers as described in Section 5.1.1.1 TCP Wrappers and Connection Banners.
The presence of the /var/ftp/ directory activates
the anonymous account.
The easiest way to create this directory is to install the
vsftpd package. This package sets a directory
tree up for anonymous users and configures the permissions on
directories to read-only for anonymous users.
By default the anonymous user cannot write to any directories.
 | Caution |
|---|
| | If enabling anonymous access to an FTP server, be aware of where
sensitive data is stored.
|
To allow anonymous users to upload, it is recommended that a
write-only directory be created within
/var/ftp/pub/.
To do this, type:
mkdir /var/ftp/pub/upload |
Next change the permissions so that anonymous users cannot see what is
within the directory by typing:
chmod 730 /var/ftp/pub/upload |
A long format listing of the directory should look like this:
drwx-wx--- 2 root ftp 4096 Feb 13 20:05 upload |
 | Warning |
|---|
| | Administrators who allow anonymous users to read and write in
directories often find that their servers become a repository of
stolen software.
|
Additionally, under vsftpd, add the following
line to the /etc/vsftpd/vsftpd.conf file:
Because FTP passes unencrypted usernames and passwords over insecure
networks for authentication, it is a good idea to deny system users
access to the server from their user accounts.
To disable user accounts in vsftpd, add the
following directive to /etc/vsftpd/vsftpd.conf:
The easiest way to disable a specific group of accounts, such as the
root user and those with sudo privileges, from
accessing an FTP server is to use a PAM list file as described in
Section 4.4.2.4 Disabling Root Using PAM. The PAM configuration
file for vsftpd is
/etc/pam.d/vsftpd.
It is also possible to disable user accounts within each service
directly.
To disable specific user accounts in vsftpd, add the
username to /etc/vsftpd.ftpusers.
