How to establish a secure ProFTPD Application Experience (all)

Author: Cao jianghua

ProFTPD is developed for the weaknesses of Wu-FTP. In addition to improved security, it also has many features that Wu-FTP does not have, and can run in stand-alone and xinetd modes. ProFTP has become the most popular FTP server software After wu-FTP. More and more sites are choosing it to Build Secure and Efficient FTP sites. It is easy to configure ProFTP, mySQL and quota modules are available for you to choose from. The perfect combination of these modules allows you to manage non-system accounts and restrict user disks.

I. security risks faced by ProFTPD

ProFTPD services face major security risks including buffer overflow attacks, data sniffing, and anonymous access defects.

1. Buffer overflow attacks

For a long time, buffer overflow has become a problem in computer systems. The most famous case of exploiting the computer buffer overflow vulnerability was the Morris worm, which occurred in November 1988. However, even if the hazards are well known, buffer overflow is still an important means of intrusion. The concept of buffer overflow: Buffer Overflow is like putting one hundred kilograms of goods into a container that can only hold 10 kilograms.

The buffer overflow vulnerability has plagued security experts for more than 30 years. In short, it is a memory error in the software caused by the programming mechanism. Such memory errors allow hackers to run malicious code to disrupt normal system operation and even gain control of the entire system.

2. Data sniffing

FTP is a traditional network service program, which is inherently insecure because it transmits passwords and data in plain text on the network. It is very easy for others with ulterior motives to intercept these passwords and data. In addition, the security authentication methods of these service programs also have their weaknesses, that is, they are vulnerable to man-in-the-middle attacks.

The so-called "man-in-the-middle" attack means that "man-in-the-middle" impersonates a Real Server to receive the data you send to the server, and then impersonates you to pass the data to the Real Server. After the data transfer between the server and you is transferred by a "man-in-the-middle", serious problems will occur. These passwords are intercepted by brute force cracking. In addition, you can use the sniffer program to monitor network packets and capture the session information starting with FTP.

3. Anonymous Access Defects

Anonymous access is widely supported in the FTP service. However, anonymous FTP does not require real identity authentication. Therefore, it is easy to provide an access channel for intruders to cope with buffer overflow attacks, this can cause serious consequences.

4. DoS Attacks

Denial-of-Service (DoS) is an attack method with low technical content but obvious attack effects. During such attacks, servers or network devices cannot provide services normally for a long time, in addition, due to the inherent defects of some network communication protocols, it is difficult to propose an effective solution. To prevent a Denial-of-Service attack, we need to deploy a global Denial-of-Service attack defense policy. Multiple policies are used together to prevent the threat of a Denial-of-Service attack to a minimum.

2. Reinforce the ProFTPd Server

1. upgraded version

Upgrade older versions of ProFTPD because of security vulnerabilities in earlier versions of ProFTPD. For a new ProFTPd server, using the latest stable version is the smartest choice. You can download its source code on its official website for compilation. The latest version of ProFTPD is 1.2.10. Official Website:Http://www.ProFTPD.org.

2. Run ProFTPD in Xinetd Mode

ProFTPD can run in stand-alone and xinetd modes. It is recommended to run in Xinetd mode when there are few user accounts and you often need to connect to the ProFTPd server. Running ProFTPD in Xinetd mode can effectively prevent DoS attacks.

From the traditional daemon concept, we can see that every service that the system uses must run a daemon that listens to a port connection. This usually means a waste of resources. To solve this problem, some Linux systems have introduced the concept of "network daemon service programs.

The network daemon used in Versions later than RedHat Linux 8.0 is xinted (Extended Internet Daemon ). Compared with the stand-alone mode, the xinted mode is also called the Internet super-server (super server ). Xinetd can listen to multiple specified ports at the same time. When receiving user requests, xinetd can start different network service processes to process these user requests based on different user request ports.

Xinetd can be viewed as a management server for managing startup services. It decides to send a client request to the program for processing and then start the corresponding daemon process. The operating principle of the xinetd mode is shown in Figure 1.

Figure 1 network service in Xinetd Mode

Compared with stand-alone, the system does not want every network service process to listen to its service port. Run a single xinetd to listen to all service ports at the same time, which reduces system overhead and protects system resources. However, if xinetd wants to start the corresponding network service process frequently when there is a large access volume and frequent concurrent access, it will lead to a decline in system performance. Check that the system provides the mode for the Linux service. You can use the pstree command on the Linux Command Line to view the network services started in two different ways.

Xinetd provides functions similar to inetd + tcp_wrapper, but is more powerful and secure. Denial of services ):

1. restrict the number of processes running at the same time.

Set the number of concurrent processes that run at the same time by setting the instances option:

Instances = 20

When the number of processes requested to connect to the server reaches 20, the xinetd will stop accepting more connection requests. Until the number of requested connections is lower than the set value.

2. Limit the maximum number of connections for an IP Address:

Limit the maximum number of connections of a host to prevent a host from occupying a service exclusively.

Per_source = 5

Here, each IP Address can connect to a single IP address with five connections.

3. Restrict the load.

Xinetd can also use load-limiting methods to prevent DoS attacks. Use a floating point number as the load coefficient. When the load reaches this value, the service will suspend processing for subsequent connections:

Max_load = 2.8

In the above example, when a system load reaches 2.8, all services will be temporarily suspended until the system load falls below the set value. This option must be used. -- With-loadavg must be added during compilation. xinetd will only process the max-load configuration options. In this way, some service processes are shut down when the system load is too heavy to realize certain denial-of-service attacks.

4. Limit the number of all servers (connection rate ).

Xinetd can use the CPS option to set the connection rate. The following example:

CPS = 25 60

The first parameter indicates the number of connections that can be processed per second. If the number of connections is exceeded, the connection will be temporarily suspended; the second parameter indicates the number of seconds after the service is stopped. That is, the server can start up to 25 connections. If this number is reached, the server will stop starting the new service for 60 seconds. No request is accepted during this period.

To run ProFTPD in Xinetd mode:

(1) Check the running status of the province

If it is saved, proftpd runs in stand-alone mode. You can run the "PS aux | grep ProFTPD" command to view the process number, and then run the kill command to stop it.

(2) modify the configuration file

Change the servertype option of the/etc/ProFTPd. conf file from "standalone" to "inetd ".

(3) create a user group

Groupadd nogroup

(4) Create the configuration file/etc/xinetd. d/ProFTPd. The Code is as follows:

Reference:

Service ftp
{
Flags = reuse socket_type =
Stream instances = 30 CPS =
2560max_load = 3.0 wait =
No user = root server =
/Usr/local/sbin/ProFTPD log_on_success =
Host PID log_on_failure =
Host record disable = No
}

5) restart the xinetd configuration.

Killall-usr1 xinetd

(6) use commands to connect to the server

You can use "FTP localhost" to connect to the local server. If the connection is rejected, run the following command:

Tail-F/var/log/messages

View error information.

3. Hide the version information of the ProFTPd Server

Generally, software bug information is related to a specific version, so the version number is the most valuable information that hackers seek. It is relatively easy to hide the PROFTPD version. modify the configuration file:

Reference:

/Etc/ProFTPd. conf:
Serverident off

4. Disguised ProFTPd Server

In Windows, FTP services are mostly Serv-U. You can disguise ProFTPD as Serv-U by modifying the configuration file ProFTPd. conf and adding the following content:

Serverident on/"Serv-U FTP
Server V5.0 for Winsock ready .../"

After the disk is exited, restart the ProFTPd service and log on to the FTP server with the prompt modified for testing:

Reference:

C: //> FTP 192.168.0.1connected
192.168.0.1.220 Serv-u ftp Server
V5.0 for Winsock ready...
User (192.168.0.1 :( none )):
331 Password required for (none ).
Password: 530 login incorrect.
Login Failed.
Ftp> quit 221 goodbye.

In this way, the server is a Windows running Serv-U.

5. Run ProFTPD with non-root permissions

Run ProFTPD with non-root permissions. Modify the configuration file:

Reference:

/Etc/ProFTPd. conf:
User nobody

# Set up the FTP service to run group nogroup with nobody

# Note: It turns out to be "group nobody" and must be changed to "group nogroup"

The above configuration indicates running the ProFTPd server as a nobody user. Running with the nobody identity can reduce the risk of buffer overflow attacks.

6. Monitor the running status of the ProFTPd Server

Usually a new ProFTPd server needs to be monitored for a period of time: records FTP connection records and who is connected to my FTP server. ProFTPD itself comes with several commands that can be used.

(1) record the number of FTP connections

Use the usr/local/bin/ftpcout command to display the number of users connected to the FTP server. You can also use the watch command to run the following command:

Reference:

Watch-N 360/usr/local/bin/ftpcount

This command displays the number of connected users every three hundred and sixty seconds.

(2) Find out who is connected to the FTP server

Use the usr/local/bin/ftpwho command to show who is connected to the FTP server. A simple output is as follows:

Reference:

Master ProFTPD process 8322:
8387 0m1s ProFTPD: Sheila-
Reboot.intevo.com: Id le 8341
3m59s ProFTPD: Kabir-
K2.intevo.com: idle--2 users

The above output shows that two users (Sheila and Kabir) are connected to the FTP server from different computers. The output also includes the ProFTPd process serving these users and the master ProFTPD process ID.

7. modify the configuration file to reinforce the server

The configuration file used by ProFTPD is similar to that used by Apache:

Single-line commands: servername and servertype

Multi-Line Container commands: and

If you have configured Apache before, it will be easy to understand. Many options in the ProFTPd server configuration file ETC/ProFTPd. conf can harden the server.

(1) restrict ftp access through IP addresses

To allow the host name myhost.domain.com to access the FTP server, run the following command:

Ping myhost.domain.com

Assume that the IP address is 216.112.169.138. Modify the configuration file and add the following content:

Reference:

<Limit login> order allow,
Denyallow from 216.112.169.138deny
From all </limit>

Do not use the host name directly after the allow command, because checking the host name reduces the server running speed. In addition, host names are more deceptive than IP addresses. If myhost.domain.com does not have a fixed IP address, the host user cannot connect to the FTP server the next time he gets an IP address from the ISP. In this case, you must grant the ftp access permission to the entire network. The command is as follows: "allow from 216.112.169 .".

(2) Use Pam as the authentication method for authorized users of ProFTPD

ProFTPD can be added to the embedded authentication module to become the FTP server of PAM-aware. Pam Full name: Pluggable Authentication Module (embedded authentication module ).

It was initially developed by Sun and soon accepted by the Linux community and developed more modules. The goal is to provide a set of function libraries that can be used to authenticate user identities, thus separating authentication from application development. For the working principle of PAM, see use SRP to establish a Secure Linux Telnet Server (link:Http://tech.ccidnet.com/art/302/20050915/333529_1.html.

The following manual creation of A/etc/PAM. d/FTP file includes the following content:

Reference:

% PAM-1.0 auth required
/Lib/security/pam_listfile.so
Item = user/sense = deny
File =/etc/ftpusers
Onerr = succeed auth required
/Lib/security/pam_stack.so
Service = system-auth
Required/lib/security/
Pam_shells.so account required
/Lib/security/pam_stack.so
Service = system-auth session
Required/lib/security/pam_stack.so
Service = system-auth

Each line includes the following content:

Module-type (module type) control-flag (control word) module-path (module path) module-ARGs (module parameter ). The above four options mainly introduce module-type and control-flag. See table-1 and Table-2:

Table-1 PAM module type

(3) Use chroot for FTP users

The ProFTPd server needs to restrict the directories accessible to normal ftp users. The configuration is very simple. If the skate users in the skate group cannot switch to other directories during logon, modify the configuration file and add a line:

Defaultroot ~ Skate, skate

In this way, he can only stay in his home directory.

(4) restrict FTP command privileges

L prohibit some users from creating or deleting directories.

If you find that some users are threatening, you can put them in a specific group (badusers) using the following Configuration:

<Directory/*>
<Limit mkd rmd>
Order deny, allowdenygroup badusersallowall
</Limit> </directory>

In this way, other users can create and delete directories except the specific user group. Create an FTP server that can only be uploaded. To create an FTP server that can only be uploaded, use the following configuration in the master server or virtual master container:

<Directory/*> <limit rete>
Denyall
</Limit> </directory>

Restrict access to a single directory.

<Directory/*> <limit CWD>
Denyall
</Limit> </directory>

In this way, the corresponding FTP user cannot change the directory. If denygroup groupname is used instead of denyall, the configuration scope is limited to the groupname user group defined in the/etc/group file.

Restrict directory browsing privileges

<Directory/My/MP3s>
<Limit dirs>
Denygroup newfriends
</Limit>
</Directory>

The preceding configuration limits the directory browsing privilege of the newfriends group in the/My/MP3s directory. This prevents him from getting the/My/MP3s directory list.

(5) control the buffer size of FTP commands

Many hackers attack FTP servers by sending a large command, hoping to cause Server Buffer Overflow. You can use the commandbuffersize command to limit the Client Command length. Usually set to 512.

(6) modify the port used by the ProFTPd Server

If ProFTP uses stand-alone mode, you can control it by setting ProFTPd. conf. Setting different ports is also easy. You only need to change "port xx" to the desired value in ProFTPd. conf.

(7) isolate different users

When you access the ISP's FTP server, you will see some unexpected system information. Therefore, hiding this information is necessary. The following is a Configuration:

Reference:

Defaultroot "/www"
<Directory/WWW>
Hidenoaccess on
<Limit all>
Ignorehidden on
</Limit> </directory>

The hidenoaccess command hides all entries in the/WWW directory, and the ignorehidden command instructs the ProFTPd server to ignore all user commands.

8. Create a Secure Anonymous ProFTPD site

If you only need to wait for some small files (several megabytes) from the FTP server, you can use the Apache web server instead of the anonymous FTP site. If you want to frequently upload and download files through an anonymous account, you need to create a secure ProFTPd server. The following is the configuration file/etc/ProFTPd. conf (the incoming Directory allows users to upload files ):

Reference:

<Anonymous ~ Ftp>
User ftp group FTP requirevalidshell
Off useralias Anonymous
FTP maxclients 40
<Directory *>
<Limit write>
Denyall
</Limit>
</Directory>
<Directory incoming>
<Limit write>
Allowall
</Limit>
<Limit read>
Denyall
</Limit>
</Directory>
</Anonymous>

The ProFTPd Server created based on the above content will create a chroot restriction for users who automatically connect to the anonymous ProFTPd server. The main directory of the user is the root directory of the site. The following describes the role of the main configuration commands:

User and group: These two commands ensure that user FTP and group FTP have all anonymous sessions.

Requirevalidshell: because there is no valid list of user FTP in/etc/passwd, this command indicates that ProFTPD allows anonymous sessions of user FTP.

Useralias: This command assigns anonymous to the FTP account so that all users can use FTP and anonymous as usernames to log on to the anonymous FTP server.

Maxclients: the maximum number of anonymous connections is 40. You can set the number of connections according to the system load.

Containers: various restrictions on the given directories of these containers:

The first directory container prohibits the write permission (including uploading, deleting, and modifying) for each user and directory ).

The second directory container gives each user write permission in the incoming subdirectory.

The last limit command ensures that the user who uploads files in the incoming sub-directory cannot view and restore the files in the directory.

3. secure use of client tools

The above Security reinforces the server. Network sniffing should be prevented, that is, the security of the data transmission process from the client to the server: The key file transmission process of network sniffing should be prevented, using SSH to upload data to the ProFTPd server can encrypt all transmitted data, so that even if hackers in the network can hijack the data transmitted by users, it cannot pose a real threat to data transmission.

SSH has many functions. It can replace Telnet and provide a secure "transmission channel" for FTP and pop ". In an insecure network communication environment, it provides a strong authentication mechanism and a very secure communication environment. In Linux, there are two ssh-based tools: Command Line and graphical interface.

1. Command Line

As a system administrator, I like the former main tool: Using SFTP commands, SFTP tools can be used to open a secure interaction FTP session. It is similar to FTP, except that it uses secure and encrypted connections. Its general syntax is: SFTPUsername@hostname.com. Once verification is passed, you can use a group of commands similar to those using FTP. SFTP commands are used as follows:

2. graphic interface tool: gftp

If you use the command line, it is complicated. Here we will introduce a secure and fast data transmission tool: gftp, which can be integrated with SSH to provide a graphical encrypted transmission solution. Gftp is a multi-threaded FTP client written in GTK +. It supports simultaneous download of multiple threads, resumable upload, FTP, HTTP, and SSH protocols, FTP and HTTP proxy, downloading the entire directory, file queue, and cache, it supports drag-and-drop operations and is a good FTP Client Manager.

Many Linux releases have gftp, or on their official website (Http://www.gftp.org/) Download. The gftp work interface is shown in the figure below. On the gftp logon page, select ftp> options from the gftp drop-down menu. In the displayed window, select the SSH tab, enter/usr/libexec/OpenSSH in the SSH2 sftp-Server Path box, check need SSH user/pass, and click Save to save the settings. After setting, select SSH2 from the drop-down menu after the logon password on the gftp logon interface.

In this case, enter the remote host name (or IP address), Port (22), user name, and password, and click Connect on the left side to log on successfully. This method is useful for logging on to the anonymous FTP server.

Figure gftp work interface

In addition, filezilla is recommended for windows. It is a good open-source software for the client to use SFTP and has good support for Chinese. Latest Version 2.2.16, official website:Http://filezilla.sourceforge.net/. It allows you to upload and download data to the ProFTPd Server securely and conveniently.

Conclusion: FTP (file transfer protocol) plays an important role in many network applications. Software resources are a very important resource on the Internet, and most of the various software resources are stored on FTP servers. The system administrator should make the security protection method as simple as possible for users. The network administrator should establish a reasonable amount of user pain (the amount of pain refers to the function of resistance caused by security restrictions ). The following describes how to reinforce FTP applications from the server to the client.