Linux FTP Server Setup and FTP server intrusion and defense

Source: Internet
Author: User
Tags ftp client ftp protocol password protection



FTP is the abbreviation for file Transfer Protocol(document Transfer Protocol), and Chinese is called "Interfax protocol". Used for Two-way transmission of control files on the Internet.



with most like Internet services,FTP is also a client / Server System. The user connects to the FTP server program on the remote host through a client program that supports the FTP protocol . The user sends commands to the server program through the client program, the server executes the commands issued by the user, and returns the results of the execution to the client.







User Category



Real Account



This type of user refers to the The FTP service has an account number. When such a user logs on to an FTP server, its default home directory is the directory named by its account. However, it can also be changed to other directories. such as the system's home directory and so on.



Guest User



in the in an FTP server, we often set up an account for different departments or for a specific user. However, this account has the feature that it can only access its own home directory. This way the server protects the security of other files on the FTP service. This type of account, in Vsftpd software, is called the Guest user. An account with such a user can access only the directory under its home directory and not the files outside the home directory.





Anonymous(anonymous) User



This is also what we usually call anonymous access. This type of user means that no account is specified on the FTP server, but it can still access some publicly available resources anonymously.



in the Build FTP Server, we need to classify users according to their type. By default,theVsftpd Server will attribute all established accounts to Real users. However, this often does not meet the needs of enterprise security. Because this type of user can not only access their own home directory, but also access to other users ' directories. This will give other users the space to bring a certain security risks.





In the TCP/IP protocol,theFTP standard command TCP port number is The mode data port is . The task of FTP is to transfer files from one computer to another computer, without the limitation of the operating system.



the computer that requires remote file transfer must have the FTP client installed and running .



Another way to start the FTP client work is to use the browser, format::ftp://[ username: password @]ftp Server domain name:[ port number ]









General steps for Server installation:



1. installation Test Rpm-qa | grep Package Name



2. detects that installation is not installed



3.yum Install package name



4. Detect and start



Rpm-qa | grep Package Name



Chkconfig Service Name on set the server to boot







Package file name: VSFTPD service Name:vsftpd



Mount the disc and install it with Yum (the local Yum source is already in the previous blog)











Use the RPM command to view the next VSFTPD package.








CD/ETC/VSFTPD and LS view below.








Ftpusers is the user control file, the user in this file, the default is not allowed to use the vsftpd service








User_list the default function is the same as the first one, but with configuration, we can make the vsftpd service available only to users in the second file , so that the newly added user does not automatically have vsftp to make the vsftpd server more secure








vsftpd_conf_migrate.sh are Some variables and settings for the vsftpd operation (ignorable)





vsftpd.conf , configuring vsftpd, which is the file that we most operate







built ftp/etc/passwd There's a lot more Span style= "FONT-FAMILY:CALIBRI;" >ftp user name, see shell /sbin/nologinthat this is a virtual user, does not have access to the login system. He can only use vsftpd such as server login, and home directory is not under// , and under /var/ftp , in the anonymous login, the system default user is FTP users, you can use ll-d/var/ftp view under Permissions is 755 , this permission is generally good by default.




The next FTP server is now tested on Windows .








Set the anonymous Allow upload feature



Modify Directory Permissions First








Anonymous_enable=yes



whether to allow anonymous FTP ( default is YES), or select NO, based on user name and password access. (a)





Anon_upload_enable=yes (27)





Anon_mkdir_write_enable=yes (31)



whether anonymous FTP users are allowed to upload (which is not supported by default), uncomment the two lines







in Windows testing, you can upload it anonymously. But it is forbidden to delete.







Anonymity is always unsafe, and there is a user-based access and upload



Anonymous mode is not allowed to be used first.








2. Create a virtual user



First create a user, and then modify the user's login shell for nologin, so that users can not log on the system, only use the service within FTP , and then use passwd test to modify the password





Sevrice vsftpd Restart restarting the FTP service is possible.





With Windows authentication, a user name and password are required.



The access path is the home directory of test, with permission to upload and download.





Intrusion to FTP



More people think that there is a "universal" approach to attack on the Internet, for reasons and simplicity, because the existence of "brute force" (or poor lifting) is destined to never end the cyber attack. As a widely used protocol,FTP is frequently encountered by attackers who attack brute force.



1. The famous X-scan, is one of the well-known comprehensive flaw detection, security scanners, completely no fee, is not required to install green software. There is a weak ftp password, the plugin loaded into the dictionary for the FTP weak password detection.



2. Flooding the serv-u FTP Server Vulnerability attack



As one of the most used FTP servers in the country,Serv-u is undoubtedly successful, but the so-called tall tree catches, attacks against serv-u FTP server have never been terminated and there is a more aggressive posture.



With Serv-u, users can set up any pc as an FTP server so that users or other consumers can use the FTP protocol, via any pc on the same network and FTP Server connection, file or directory copy, move, create and delete.





Serv-u FTP Server Overflow Vulnerability



Affected Systems:



Rhinosoft Serv-u 5.0



Rhinosoft Serv-u 4.x



Rhinosoft Serv-u 3.x



Rhinosoft Serv-u 2.x



Serv-u is missing the correct buffer bounds check when processing the parameters of the "MDTM" command, a remote attacker could exploit the vulnerability to buffer overflow attacks on the FTP service, possibly with FTP Process permissions execute arbitrary instructions on the system.



Serv-u provides the FTP command "MDTM" for the user to change the file time, when the user successfully logs on to the system, and sends the malformed time zone data as the command parameter, can trigger buffer overflow, carefully build parameter data may be FTP Process permissions execute arbitrary instructions on the system.



Exploiting this vulnerability requires that a user have a legitimate account to log on to the system, but no write and other permissions are required.











Building high-security use of FTP servers








1. Avoid jump attacks



To avoid jump attacks, the server should not open the data link to a TCP port number less than 1024.



Restricted access



Some FTP servers wish to have network address-based access control. In this case, the server should first ensure that the network address of the remote host is within the scope of the organization, whether it is a control connection or a data connection, before sending a restricted file. By examining the two connections, the server is protected from this situation: the control connection is connected with a trusted host connection and the data connection is not. Similarly, customers should examine the IP address of the remote host after receiving an open port connection in the listening mode to ensure that the connection is established by the desired server.



2. Password protection



to reduce the risk of brute-force password guessing attacks over FTP servers, it is recommended that the server limit attempts to send The number of times the password is correct. After several attempts (three to five times), the server should end up with the customer's control connection.






3. Anonymous FTP



The anonymous FTP service enables clients to connect to the FTP server to share common files with minimal proof. If such a user can read all the files on the system or can create files, then the problem arises






Here is a simple explanation, http://down.51cto.com/data/2241389 "Hacker FTP attack analysis and practical defense technology Fine Solution" This book will be the FTP protocol and services resolved very thoroughly, the FTP intrusion and defense also summarized very carefully.



This article is from the "Smokers" blog, please be sure to keep this source http://wt7315.blog.51cto.com/10319657/1852413



Linux FTP Server Setup and FTP server intrusion and defense


Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.