Anonymous FTP is a frequently used service on the Internet. It is often used for Software Download websites and software exchange websites. To improve the security of anonymous FTP services, we will discuss this issue.
The following settings are composed of the experience and suggestions accumulated by many websites in the past. We believe that some
The desired website has different settings.
Set anonymous FTP
A. FTP daemon
The website must be sure to use the latest FTP daemon version.
B. Set the anonymous FTP directory
Anonymous ftp root directory ~ And its sub-directory owner cannot be an ftp account, or an account in the same group as ftp. This is
Common setup problems. If these directories are owned by ftp accounts or accounts in the same group as ftp, and do not provide write protection, intruders may add files in these directories, for example :. Or modify other files. Many websites? Oo oot account. Set the root directory and sub-directory owner of anonymous FTP to root and the group to system? Why are there too many other users? Such as chmod 0755), so only root has the write power, which can help you maintain the FTP service security ??
The following is an example of setting an anonymous ftp directory:
drwxr-xr-x 7 root system 512 Mar 1 15:17 ./drwxr-xr-x 25 root system 512 Jan 4 11:30 ……/drwxr-xr-x 2 root system 512 Dec 20 15:43 bin/drwxr-xr-x 2 root system 512 Mar 12 16:23 etc/drwxr-xr-x 10 root system 512 Jun 5 10:54 pub/ |
All files and link libraries, especially those used by FTP daemon and ~ Ftp/bin and ~ Files in ftp/etc should be protected in the same way as directories in the preceding example. These files and linked libraries must not be owned by ftp accounts or accounts in the same group as ftp, but must also be prevented from being written.
We strongly recommend that the website do not use/etc/passwd in the system ~ The password file in the ftp/etc directory or/etc/group in the system ~ Group files in the ftp/etc directory. In ~ Put these files in the ftp/etc directory so that intruders can obtain them. These files are customizable and not used for access control.
We recommend that you ~ Ftp/etc/passwd and ~ Ftp/etc/group uses a replacement file. These files must be owned by the root user. The DIR command uses this file to display the owner and group names of the file and directory. The website must be determined ~ The/ftp/etc/passwd file does not contain any account names that are the same as those in the/etc/passwd file in the system. These files should only contain the owner and group names of files and directories in the FTP-class architecture to be displayed. In addition, confirm that the password field is "sorted. For example, use "*" to replace the password field.
Example of anonymous ftp password file in cert
ssphwg:*:3144:20:Site Specific Policy Handbook Working Group::cops:*:3271:20:COPS Distribution::cert:*:9920:20:CERT::tools:*:9921:20:CERT Tools::ftp:*:9922:90:Anonymous FTP::nist:*:9923:90:NIST Files:: |
Example of anonymous ftp group files in cert
. Provide writable directories on your anonymous ftp
There is a risk that an anonymous ftp service allows users to store files. We strongly recommend that the website do not automatically create an upload directory unless related risks have been taken into account. The CERT/CC incident returned many events that resulted in illegal transfer of copyright software or account and password information using the upload directory. Denialof service is also reported maliciously by filling system files.
This section describes how to solve this problem using three methods. The first method is to use a corrected FTP daemon. The second method is to provide write restrictions on specific directories. The third method is to use an independent directory.
Corrected FTP daemon
If your website plans to provide directories for file upload, we recommend that you use the modified FTP daemon to control the access to the file upload directories. This is the best way to avoid unnecessary write areas. The following are some suggestions:
1. Restrict that the uploaded files cannot be accessed again, so that they can be detected by the system administrator and placed in the appropriate location for users to download.
2. restrict the size of each online uploaded data.
3. limit the total amount of data transmitted according to the size of the existing disk.
4. Add logon records to detect improper use in advance.
If you want to modify the FTP daemon, you can obtain the program code from the vendor, or you can obtain the public FTP original code from the following places:
wuarchive.wustl.edu ~ftp/packages/wuarchive-ftpdftp.uu.net ~ftp/systems/unix/bsd-sources/libexec/ftpdgatekeeper.dec.com ~ftp/pub/DEC/gwtools/ftpd.tar.Z |
The FTP daemon is not officially inspected, evaluated, or endorsed. The FTP daemon to be used is determined by each user or organization, and CERT/CC recommends that each agency make a thorough assessment before installing and using these programs.
