Establish secure ProFTPD

ProFTPDDeveloped for the weaknesses of Wu-FTP, except for the improvedSecurityAnd has many features that Wu-FTP does not have. It can run in Stand-alone and xinetd modes. ProFTP has become the most popular FTP server software After Wu-FTP. The more websites use it to build secure and efficient FTP sites, the more convenient ProFTP configuration, mySQL and Quota modules are available for you to choose from. The perfect combination of these modules allows you to manage non-system accounts and restrict user disks. How to establish a secure ProFTPD

I. security risks faced by ProFTPD

ProFTPD services face major security risks including Buffer Overflow attacks, data sniffing, and anonymous access defects.

1. Buffer overflow attacks

For a long time, buffer overflow has become a problem in computer systems. The most famous case of exploiting the computer buffer overflow vulnerability was the Morris worm, which occurred in November 1988. However, even if the hazards are well known, buffer overflow is still an important means of intrusion.

The concept of buffer overflow: Buffer Overflow is like putting one hundred kilograms of goods into a container that can only hold 10 kilograms. The buffer overflow vulnerability has plagued security experts for more than 30 years. In short, it is a memory error in the software caused by the programming mechanism. Such memory errors allow hackers to run malicious code to disrupt normal system operation and even gain control of the entire system.

2. Data sniffing

FTP is a traditional network service program, which is inherently insecure because it transmits passwords and data in plain text on the network. It is very easy for others with ulterior motives to intercept these passwords and data. In addition, the security authentication methods of these service programs also have their weaknesses, that is, they are vulnerable to man-in-the-middle attacks.

The so-called "man-in-the-middle" attack means that "man-in-the-middle" impersonates a Real Server to receive the data you send to the server, and then impersonates you to pass the data to the Real Server. After the data transfer between the server and you is transferred by a "man-in-the-middle", serious problems will occur. These passwords are intercepted by brute force cracking. In addition, you can use the sniffer program to monitor network packets and capture the session information starting with FTP.

3. Anonymous Access Defects

Anonymous access is widely supported in the FTP service. However, anonymous FTP does not require real identity authentication. Therefore, it is easy to provide an access channel for intruders to cope with buffer overflow attacks, this can cause serious consequences.

4. DoS Attacks

Denial-of-Service (DoS) is an attack method with low technical content but obvious attack effects. During such attacks, servers or network devices cannot provide services normally for a long time, in addition, due to the inherent defects of some network communication protocols, it is difficult to propose an effective solution. To prevent a Denial-of-Service attack, we need to deploy a global Denial-of-Service attack defense policy. Multiple policies are used together to prevent the threat of a Denial-of-Service attack to a minimum.

2. Reinforce the ProFTPD server and establish a secure ProFTPD

1. upgraded version

Upgrade older versions of ProFTPD because of security vulnerabilities in earlier versions of ProFTPD. For a new ProFTPD server, using the latest stable version is the smartest choice. You can download its source code on its official website for compilation. ProFTPD latest version is 1.2.10, Official Website: http://www.ProFTPD.org.

2. Run ProFTPD in xinetd Mode

ProFTPD can run in Stand-alone and xinetd modes. It is recommended to run in xinetd mode when there are few user accounts and you often need to connect to the ProFTPD server. Running ProFTPD in xinetd mode can effectively prevent DoS attacks.

From the traditional daemon concept, we can see that every service that the system uses must run a daemon that listens to a port connection. This usually means a waste of resources. To solve this problem, some Linux systems have introduced the concept of "network daemon service programs.

The network daemon used in Versions later than Redhat Linux 8.0 is xinted (eXtended InterNET daemon ). Compared with the stand-alone mode, the xinted mode is also called the Internet Super-Server (Super Server ).

Xinetd can listen to multiple specified ports at the same time. When receiving user requests, xinetd can start different network service processes to process these user requests based on different user request ports. Xinetd can be viewed as a management server for managing startup services. It decides to send a client request to the program for processing and then start the corresponding daemon process. The operating principle of the xinetd mode is shown in Figure 1.

Figure 1 network service in xinetd Mode

Compared with stand-alone, the system does not want every network service process to listen to its service port. Run a single xinetd to listen to all service ports at the same time, which reduces system overhead and protects system resources. However, if xinetd wants to start the corresponding network service process frequently when there is a large access volume and frequent concurrent access, it will lead to a decline in system performance. Check that the system provides the mode for the Linux service. You can use the pstree command on the Linux Command Line to view the network services started in two different ways.

1. PureFTPd configuration file
2. Installation documentation for Pureftpd
3. Use PureFTPd in Freebsd
4. Simple instructions on installation and configuration of Pureftpd
5. PureFTPd Accept_Client Remote Denial of Service Vulnerability
6. 10 essential differences between FreeBSD and Linux
7. Postfix_setup full-automatic installation package release supports Linux/FreeBSD