Experiences in establishing secure ProFTPD in Linux

ProFTPD is developed for the weaknesses of Wu-FTP. in addition to improved security, it also has many features that Wu-FTP does not have, and can run in Stand-alone and xinetd modes. ProFTP has become the most popular FTP server software after Wu-FTP. more and more sites choose it to build secure and efficient FTP sites, and ProFTP configuration

ProFTPD is developed for the weaknesses of Wu-FTP. in addition to improved security, it also has many features that Wu-FTP does not have, and can run in Stand-alone and xinetd modes. ProFTP has become the most popular FTP server software after Wu-FTP. more and more sites are choosing it to build secure and efficient FTP sites. it is easy to configure ProFTP, mySQL and Quota modules are available for you to choose from. the perfect combination of these modules allows you to manage non-system accounts and restrict user disks.
I. security risks faced by ProFTPD

ProFTPD services face major security risks including Buffer Overflow attacks, data sniffing, and anonymous access defects.

1. buffer overflow attacks

For a long time, buffer overflow has become a problem in computer systems. The most famous case of exploiting the computer buffer overflow vulnerability was the Morris worm, which occurred in November 1988. However, even if the hazards are well known, buffer overflow is still an important means of intrusion.

The concept of buffer overflow: Buffer overflow is like putting one hundred kilograms of goods into a container that can only hold 10 kilograms. The buffer overflow vulnerability has plagued security experts for more than 30 years. In short, it is a memory error in the software caused by the programming mechanism. Such memory errors allow hackers to run malicious code to disrupt normal system operation and even gain control of the entire system.

2. data sniffing

FTP is a traditional network service program, which is inherently insecure because it transmits passwords and data in plain text on the network. it is very easy for others with ulterior motives to intercept these passwords and data. In addition, the security authentication methods of these service programs also have their weaknesses, that is, they are vulnerable to man-in-the-middle attacks.

The so-called "man-in-the-middle" attack means that "man-in-the-middle" impersonates a real server to receive the data you send to the server, and then impersonates you to pass the data to the real server. After the data transfer between the server and you is transferred by a "man-in-the-middle", serious problems will occur. These passwords are intercepted by brute force cracking. In addition, you can use the sniffer program to monitor network packets and capture the session information starting with FTP.

3. anonymous access defects

Anonymous access is widely supported in the FTP service. However, anonymous FTP does not require real identity authentication. Therefore, it is easy to provide an access channel for intruders to cope with buffer overflow attacks, this can cause serious consequences.

4. DoS attacks

Denial-of-service (DoS) is an attack method with low technical content but obvious attack effects. during such attacks, servers or network devices cannot provide services normally for a long time, in addition, due to the inherent defects of some network communication protocols, it is difficult to propose an effective solution. To prevent a denial-of-service attack, we need to deploy a global denial-of-service attack defense policy. multiple policies are used together to prevent the threat of a denial-of-service attack to a minimum.

2. reinforce the ProFTPD server

1. Upgraded Version

Upgrade older versions of ProFTPD because of security vulnerabilities in earlier versions of ProFTPD. For a new ProFTPD server, using the latest stable version is the smartest choice. you can download its source code on its official website for compilation. ProFTPD latest version is 1.2.10, official website: http://www.ProFTPD.org.

2. run ProFTPD in xinetd mode

ProFTPD can run in Stand-alone and xinetd modes. it is recommended to run in xinetd mode when there are few user accounts and you often need to connect to the ProFTPD server. Running ProFTPD in xinetd mode can effectively prevent DoS attacks.

From the traditional daemon concept, we can see that every service that the system uses must run a daemon that listens to a port connection. this usually means a waste of resources. To solve this problem, some Linux systems have introduced the concept of "Network Daemon Service Programs. The network daemon used in versions later than Redhat Linux 8.0 is xinted (eXtended InterNET daemon ). Compared with the stand-alone mode, the xinted mode is also called the Internet Super-Server (Super Server ).

Xinetd can listen to multiple specified ports at the same time. when receiving user requests, xinetd can start different network service processes to process these user requests based on different user request ports. Xinetd can be viewed as a management server for managing startup services. it decides to send a client request to the program for processing and then start the corresponding daemon process. For the working principle of the xinetd mode, see.

　　

Xinetd network service

Compared with stand-alone, the system does not want every network service process to listen to its service port. Run a single xinetd to listen to all service ports at the same time, which reduces system overhead and protects system resources. However, if xinetd wants to start the corresponding network service process frequently when there is a large access volume and frequent concurrent access, it will lead to a decline in system performance. Check that the system provides the mode for the Linux service. you can use the pstree command on the Linux command line to view the network services started in two different ways.

Xinetd provides functions similar to inetd + tcp_wrapper, but is more powerful and secure. Denial of Services ):

1. restrict the number of processes running at the same time.

Set the number of concurrent processes that run at the same time by setting the instances option:

Instances = 20

When the number of processes requested to connect to the server reaches 20, the xinetd will stop accepting more connection requests. Until the number of requested connections is lower than the set value.

2. limit the maximum number of connections for an IP address:

Limit the maximum number of connections of a host to prevent a host from occupying a service exclusively.

Per_source = 5

Here, each IP address can connect to a single IP address with five connections. 3. restrict the load.

Xinetd can also use load-limiting methods to prevent DoS attacks. Use a floating point number as the load coefficient. when the load reaches this value, the service will suspend processing for subsequent connections:

Max_load = 2.8

In the above example, when a system load reaches 2.8, all services will be temporarily suspended until the system load falls below the set value. This option is used to add the question mark (?) during compilation ?? With-loadavg, xinetd will only process the max-load configuration options. In this way, some service processes are shut down when the system load is too heavy to realize certain denial-of-service attacks.

4. limit the number of all servers (connection rate ). Xinetd can use the cps option to set the connection rate. the following example:

Cps = 25 60

The first parameter indicates the number of connections that can be processed per second. if the number of connections is exceeded, the connection will be temporarily suspended; the second parameter indicates the number of seconds after the service is stopped. That is, the server can start up to 25 connections. if this number is reached, the server will stop starting the new service for 60 seconds. No request is accepted during this period.

To run ProFTPD in xinetd mode:

(1) Check the running status of the province

If it is saved, ProFTPD runs in stand-alone mode. you can run the "ps aux | grep proftpd" command to view the process number, and then run the kill command to stop it.

(2) modify the configuration file

Change the ServerType option of the/etc/proftpd. conf file from "standalone" to "inetd ".

(3) Create a user group

Groupadd nogroup

(4) create the configuration file/etc/xinetd. d/proftpd. the code is as follows:

Service ftp

{

Flags = REUSE socket_type = stream

Instances = 30

Cps = 25 60max_load = 3.0 wait = no

User = root server =

/Usr/local/sbin/proftpd

Log_on_success = HOST PID

Log_on_failure = host record disable = no

}

(5) restart the xinetd configuration.

Killall-USR1 xinetd

(6) use commands to connect to the server

You can use "ftp localhost" to connect to the local server. if the connection is rejected, run the following command:

Tail-f/var/log/messages

View error information.