Establish a secure wu-ftpd Server

Source: Internet
Author: User
Tags ftp connection ftp file ftp client filezilla ftp access openssh server
Set up a secure wu-ftpd server-Linux Enterprise Application-Linux server application information. The following is a detailed description. In Linux, we can use ftp service programs such as wu-FTP, tftp-server, proftpd, and vsftp to build an FTP server. Since wu-ftp (Washington University Ft
P) Widely used in a variety of Linux releases and a variety of Unix (including ibm aix, FreeBSD, HP-UX, various BSD, Solaris, etc, at the same time, it has more than 50% Internet users, and now Linux releases all have different versions of wu-ftp. The Wu-ftpd menu helps you easily configure the FTP server: supports the construction of secure anonymous FTP access and controls the number of users simultaneously accessing, restrict ip cidr blocks that can be accessed, and set multiple virtual directories on one host. Wu-ftpd has three registration methods: anonymous FTP, actual user FTP, and guest FTP. Anonymous FTP registers with the username 'anonus Us' and an email password. Wu-ftpd was released earlier, with scattered Server organizations and poor security compared with Proftpd, but with good stability. In particular, the number of online users is large, which is obvious, wu-ftpd is better than Proftpd. However, the Wu-ftpd Server does not provide anonymous services. To provide anonymous ftp services, you must install anonftp. In the latest version (2.6.1), the most vulnerable system security issues have been fixed. Therefore, Ftp servers are the mainstream. Some functions of Wu-Ftpd are as follows:

1. Different access permissions and accessible time periods can be performed for different domains.

2. Users can automatically compress or decompress files when downloading files.

3. Records FTP Server usage.

4. the maximum number of online users can be limited to meet the overall operational efficiency.

5. display relevant information to let the user know the receiving status.

6. You can pause the FTP Server to facilitate system maintenance.

7. Support for Virtual FTP Servers)

I. security risks faced by the wu-ftpd Service

The wu-ftpd service faces major security risks including Buffer Overflow attacks, data sniffing, and anonymous access defects.

1. Buffer overflow attacks

For a long time, buffer overflow has become a problem in computer systems. The most famous case of exploiting the computer buffer overflow vulnerability was the Morris worm, which occurred in November 1988. However, even if the hazards are well known, buffer overflow is still an important means of intrusion. The concept of buffer overflow: Buffer Overflow is like putting one hundred kilograms of goods into a container that can only hold 10 kilograms. The buffer overflow vulnerability has plagued security experts for more than 30 years. In short, it is a memory error in the software caused by the programming mechanism. Such memory errors allow hackers to run malicious code to disrupt normal system operation and even gain control of the entire system.

2. Data sniffing

FTP is a traditional network service program, which is inherently insecure because it transmits passwords and data in plain text on the network. It is very easy for others with ulterior motives to intercept these passwords and data. In addition, the security authentication methods of these service programs also have their weaknesses, that is, they are vulnerable to man-in-the-middle attacks. The so-called "man-in-the-middle" attack means that "man-in-the-middle" impersonates a Real Server to receive the data you send to the server, and then impersonates you to pass the data to the Real Server. After the data transfer between the server and you is transferred by a "man-in-the-middle", serious problems will occur. These passwords are intercepted by brute force cracking. In addition, you can use the sniffer program to monitor network packets and capture the session information starting with FTP.

3. System Vulnerabilities

Anonymous access is widely supported in the FTP service. However, anonymous FTP does not require real identity authentication. Therefore, it is easy to provide an access channel for intruders to cope with buffer overflow attacks, this can cause serious consequences. The world's first Linux Ramen virus was spread using rpc. statd and wu-ftpd in some Linux versions (Redhat6.2 and 7.0.

4. DoS Attacks

Denial-of-Service (DoS) is an attack method with low technical content but obvious attack effects. During such attacks, servers or network devices cannot provide services normally for a long time, in addition, due to the inherent defects of some network communication protocols, it is difficult to propose an effective solution. To prevent a Denial-of-Service attack, we need to deploy a global Denial-of-Service attack defense policy. Multiple policies are used together to prevent the threat of a Denial-of-Service attack to a minimum.

Ii. Reinforce the wu-ftpd Server

1. Version Upgrade and Security Customization

Upgrade old wu-ftpd versions because of security vulnerabilities in earlier wu-ftpd versions (before 2.6.1. For example, the first virus in Linux: the Ramen worm makes a great threat to the famous wu-ftpd server by exploiting Anonymous Access vulnerabilities and buffer overflow attacks.

Especially for a newly configured wu-ftpd server, using the latest stable version is the smartest choice. You can download its source code on its official website for compilation. The compile command is:./configure option1 option2, where option1 is the first option, option2 is the second option, and so on can include multiple options.

2. Use the options in the/etc/ftpaccess file to protect wu-ftpd

The etc/ftpaccess file provides some options to improve the security of wu-ftpd.

(1) Enhance the Log System

Record all logs as much as possible. Generally, wu-ftpd records the upload (inbound) and download (outbound) of all user categories (real: real, anonymous: anonymous, guest: guest. The following is a common log setting method. If you want to know all data transmission conditions, you can add a line in/etc/ftpaccess:

Log transfers anonymous, real, guest inbound, outbound

(2) restrict access to sensitive files and directories

You can use the noretrieve directory in the/etc/ftpaccess file to restrict access to sensitive files and directories. If you want to prohibit users from modifying any files under the core Directory:/etc, you can add a line in/etc/ftpaccess:

Noretrieve/etc

In addition, if the wu-ftpd server runs the Apache server at the same time, make sure that the configuration file cannot be downloaded by anonymous users, you can add a line in/etc/ftpaccess:

Noretrieve. htaccess. htpasswd class = anonymous


(3) restrict the upload permission of anonymous FTP users

Anonymous FTP is a frequently used service on the Internet. It is often used for Software Download websites and software exchange websites. To improve the security of anonymous FTP services, we want to modify the upload permission of anonymous FTP users. Root directory of anonymous ftp (~ And its sub-directory owner cannot be an ftp account, or an account in the same group as ftp. This is a common setting problem. If these directories are owned by ftp accounts or accounts in the same group as ftp, and do not provide write protection, intruders may add files (for example :. rhosts) or modify other files. The method is as follows:

Upload/var/ftp * no

Upload/var/ftp/incoming yes nobody ftp 0440 nodirs

Noretrieve/var/ftp/incoming

Note: The First Command first prohibits anonymous FTP accounts from uploading data to all directories, and then creates a directory:/var/ftp/incoming. Set the file in this directory to belong to the ftp User Group of the nobody user. The File Permission is set to 0440 (-r -- r -----), so that anonymous users cannot create any directories. Finally, the files in the/var/ftp/incoming directory cannot be recovered.

(4) restrict directories accessible to normal FTP users

We usually want normal FTP users to operate in their own directories, but some FTP users always like other directories (especially in the root directory, system directory, and other user directories) reads files that are not supposed to be read. Below we need to restrict these users to their own directories:

A. Create a group and use the groupadd command. Generally, you can use the ftpuser group:

Groupadd ftpuser

B. Create a user, such as mytestuser, and create a user. The adduser command is available:

Adduser mytestuser

C. Modify the/etc/ftpaccess file and add it to the guestgroup definition:

Chmod yes guest

Delete yes guest

Overwrite yes guest

Rename yes guest

Guestgroup ftpuser

In addition to adding the guestgroup ftpuser line, the other four lines also need to be added. Otherwise, after the user logs in, although the user can achieve the goal of not returning the parent directory, the result can only be uploaded, you cannot overwrite or delete your own files.

D. Copy the necessary files to the root directory of the User:

Cp-rf/home/ftp/lib/home/mytestuser

Cp-rf/home/ftp/bin/home/mytestuser

We usually copy the bin and lib directories under/home/ftp/to the root directory of the user, because some commands (such as ls commands) need to be supported by the Lib library, otherwise, the column directory cannot be created.

E. Disable the user's telnet permission:

Adduser mytestuser-g ftpuser-s/dev/null

After the above settings, all FTP operations of the user mytestuser will be restricted in his/home/mytestuser directory.

(5) Restrict access through IP addresses

In addition, we need to constantly monitor/var/log/secure logs and pay attention to FTP connections with unknown origins. You can use the command "/usr/bin/host IP_address" to resolve suspicious IP addresses, run the "/usr/sbin/traceroute IP_address" command to obtain the network path of the IP address. If you do not have a user in a region, you can use the command "/usr/sbin/traceroute IP_address" to find that the user is from this region. You can use the command to prevent FTP connection attempts, add a line to/etc/ftpaccess:

Deny 10.1.2.125

In this way, hosts from 10.1.2.125 cannot be connected to FTP.

3. Restrict FTP access by user name

Wu-ftpd can be added to the embedded authentication module to become the FTP server of PAM-aware. For more information about PAM and PAM-aware, see the author's Guide: add
Solid OpenSSH server connector: http://www.ccw.com.cn/server/yyjq/htm2005/20051108_09KRE.htm. In this way, PAM authenticates the FTP server by using the/etc/pam. d/ftp file. How to use PAM: Create a/etc/pam. d/ftp file by hand, which includes the following:

Auth required/lib/security/pam_listfile.so item = user \

Sense = deny file =/etc/ftpusers onerr = succeed

Auth required/lib/security/pam_stack.so service = system-auth

Auth required/lib/security/pam_shells.so

Account required/lib/security/pam_stack.so service = system-auth

Session required/lib/security/pam_stack.so service = system-auth

(1) blacklist

To prohibit a user from connecting to the FTP server, you only need to add the user name to the/etc/ftpusers file. When cjh1, a user prohibited from accessing the FTP server, attempts to access the FTP server, the log file/var/log/messages will send an error message:

Dec 1 13:11:36 k2 ftpd [1988]: PAM-listfile: Refused user cjh1 for service ftp

(2) Use the whitelist Method

This method is safer and will not be omitted. You only need to list the users that are allowed to access the FTP server. All other users cannot access the service. Add a line to/etc/pam. d/ftp as follows:

Auth required/lib/security/pam_listfile.so item = user \

Sense = allow file =/etc/userlist. ftp onerr = fail

Create a text file:/etc/userlist. ftp. The file format is as follows: each line contains a user name.

Advanced applications:

If many users are allowed to access the FTP server, it is troublesome to manually create/etc/userlist. ftp. You can run the following command:

Awk-F: '{print $1}'/etc/passwd>/etc/userlist. ftp

This command will generate a/etc/userlist. ftp user list based on/etc/passwd, and then make some modifications.

4. Modify the Wu-FTPD Port

Wu-FTPD uses the xinetd daemon to control the service. You can manage the service through xinetd. For example, you can modify/etc/services to control its port. Standard FTP mainly uses ports 21 (communication port) and 20 (data port ). If you change the two ports to 20000 and 20001 in/etc/services and restart the xinetd service, the Wu-FTP process will work on these two ports. In this way, even if someone scans these ports, it is difficult to guess the purpose of these ports, and further attack actions cannot be taken.

5. Use a firewall to protect the Wu-FTPD Server

(1) preliminary configuration Scheme

To use iptables, you must also load the relevant modules. Run the following command to load the relevant modules:

# Modprobe iptable_tables

/Sbin/iptables-t filter-F

/Sbin/iptables-t nat-F

/Sbin/iptables-t mangle-F # clear existing rules

The modprobe command will automatically load the specified module and its related modules; The iptables_filter module will automatically load at runtime.

#/Sbin/iptables-p forward drop # Set the Default policy to discard all packets from the Intranet except for allow

(2) ensure the security of the firewall itself

Do not respond to ICMP Packets

/Sbin/iptables-t filter-a input-p icmp -- icmp-type echo-requested-j DROP

/Sbin/iptables-t filter-a output-p icmp -- icmp-type echo-reply-j DROP

/Sbin/iptables-t filter-a forward-p icmp -- icmp-type echo-requested-j DROP

/Sbin/iptables-t filter-a forward-p icmp -- icmp-type echo-reply-j DROP

Prevent IP Spoofing

IP Spoofing pretends to be sent from an internal network to allow the firewall to access the internal network by mistake. To prevent IP Spoofing, we only need to filter packets that access from the Internet and claim that the source address is an internal network.

/Sbin/iptables-t filter-a input-I $ EXTERNAL_NIC-s $ INTERNAL_NET-j DROP

/Sbin/iptables-t filter-a forward-I $ EXTERNAL_NIC-s $ INTERNAL_NET-j DROP

Prevent Network Scanning

Network Scanning uses some abnormal and valid packets to detect the services provided by the server and obtain some system information. Some Intruders use these packets to bypass the firewall to intrude into the internal network, so they must filter.

/Sbin/iptables-t filter-a input-p tcp -- tcp-flags ALL-j DROP

/Sbin/iptables-t filter-a forward-p tcp -- tcp-flags ALL-j DROP

/Sbin/iptables-t filter-a input-p tcp -- tcp-flags all none-j DROP

/Sbin/iptables-t filter-a forward-p tcp -- tcp-flags all none-j DROP

/Sbin/iptables-t filter-a input-p tcp -- tcp-flags all fin, URG, PSH-j DROP

/Sbin/iptables-t filter-a forward-p tcp -- tcp-flags all fin, URG, PSH-j DROP

/Sbin/iptables-t filter-a input-p tcp -- tcp-flags SYN, rst syn, RST-j DROP

/Sbin/iptables-t filter-a forward-p tcp -- tcp-flags SYN, rst syn, RST-j DROP

Allow the Administrator to connect to the firewall by Using SSH to modify settings

Finally, open a channel for the Administrator to connect to the firewall using SSH to modify the settings. Otherwise, the administrator must log on to the firewall and modify the settings.

/Sbin/iptables-t filter-a input-I $ INTERNAL_NIC-s $ INTERNAL_NET -- dport 22-j ACCEPT

6. Cannot access shell

If you refuse to allow users to access the shell through telnet or ssh, you need to create a fake shell, change it to NoAccess, and put it in the/etc/directory.

Touch/etc/NoAccess

Add the following content:

/Etc/NoAccess

#! /Bin/sh

#

Echo "Shell Access denied! "

Echo ""

Echo "You don't have a valid login for this server"

Exit 0

Store files and modify shell permissions:

Chmod + x/etc/NoAccess.

Then, modify the/etc/shells file and add the created shell.

The/etc/shells file is as follows:

/Etc/shells

/Bin/bash2

/Bin/bash

/Bin/sh

/Bin/ash

/Bin/bsh

/Bin/tcsh

/Etc/NoAccess

After adding a user manually, you can use the following command to add the user to the appropriate shell:

Adduser-g FTPgroup-s/etc/NoAcces "username"

3. secure use of client tools

The above Security reinforces the server. Network sniffing should be prevented, that is, the security of the data transmission process from the client to the server: The key file transmission process of network sniffing should be prevented, using SSH to upload data to the ProFTPD server can encrypt all transmitted data, so that even if hackers in the network can hijack the data transmitted by users, it cannot pose a real threat to data transmission. SSH has many functions. It can replace Telnet and provide a secure "transmission channel" for FTP and POP ". In an insecure network communication environment, it provides a strong authentication mechanism and a very secure communication environment. In Linux, there are two SSH-based tools: Command Line and graphical interface.

1. Command Line

As a system administrator, I like the former main tool: Using sftp commands, sftp tools can be used to open a secure interaction FTP session. It is similar to ftp, except that it uses secure and encrypted connections. Its general syntax is: sftp username@hostname.com. Once verification is passed, you can use a group of commands similar to those using FTP. The usage of SFTP-related commands is shown in table 2:

Table 2 SFTP-related commands

Sub-command Name Description
Cd conversion directory
Create a subdirectory using mkdir
Ls display file name
Name of the current directory in the pwd Column
Rm delete file
Ln Create File Link
Charp modifies file group attributes
Chmod
Rename: Modify the file or directory name
Lpwd displays the current location
Create a local directory using lmkdir
Put Upload File
Get download file
Exit from remote server


2. graphic interface tool: gFTP

If you use the command line, it is complicated. Here we will introduce a secure and fast data transmission tool: gFTP, which can be integrated with SSH to provide a graphical encrypted transmission solution. GFTP is a multi-threaded FTP client written in GTK +. It supports simultaneous download of multiple threads, resumable upload, FTP, HTTP, and SSH protocols, FTP and HTTP proxy, downloading the entire directory, file queue, and cache, it supports drag-and-drop operations and is a good FTP Client Manager. Many Linux distributions come with gFTP, which can also be downloaded at its official website (http://www.gftp.org. On the gftp logon page, select FTP> Options from the gftp drop-down menu. In the displayed window, select the SSH tab, enter/usr/libexec/openssh in the SSH2 sftp-server path box, check Need SSH User/Pass, and click Save to Save the settings. After setting, select SSH2 from the drop-down menu after the logon password on the gftp logon interface. In this case, enter the remote host name (or IP address), Port (22), user name, and password, and click Connect on the left side to log on successfully. This method is useful for logging on to the anonymous ftp server.

In addition, Filezilla is recommended for Windows. It is a good open-source software for the client to use SFTP and has good support for Chinese. Latest Version 2.2.16, Official Website: http://filezilla.sourceforge.net /. It allows you to upload and download data to the ProFTPD Server securely and conveniently.

Conclusion: FTP (file transfer protocol) plays an important role in many network applications. Software resources are a very important resource on the Internet, and most of the various software resources are stored on FTP servers. The system administrator should make the security protection method as simple as possible for users. The network administrator should establish a reasonable amount of user pain (the amount of pain refers to the function of resistance caused by security restrictions ). The following describes how to reinforce FTP applications from the server to the client.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.