Security Settings for FTP servers

FTP Server | Security

On the network, anonymous FTP is a very common service, often used in software download sites, software Exchange sites, in order to improve the anonymity of the FTP service in the process of security, we have a number of discussions on this issue.
The following settings are made up of experience and suggestions from a number of websites that have accumulated in the past. We think that there can be individual
The requirements of the site have a different set of options.
Set anonymous FTP
A.ftp Daemon
The website must determine that the latest version of the FTP daemon is currently in use.
B Set directory for anonymous FTP
The root directory (~FTP) of anonymous FTP and the owner of its subdirectories cannot be FTP accounts or accounts with the same group as FTP. This is
Common setup problems. If these directories are owned by FTP or an account with the same group as FTP, and do not protect against write protection, intruders may add files (for example:. rhosts) or modify other files. Many websites? City Xing 胷 oot account number. Let anonymous FTP root directory and subdirectory owner is root, belong to group (group) for System?⑾ Weeds Ù AI ∪, such as chmod 0755), so only Root has written power, which can help you maintain the FTP service of the Ann?
The following is an example of an anonymous FTP directory setting:
Drwxr-xr-x 7 root System 1 15:17./
Drwxr-xr-x root System 4 11:30. /

Drwxr-xr-x 2 root system 15:43 bin/
Drwxr-xr-x 2 root system 16:23 etc/
Drwxr-xr-x root System 5 10:54 pub/

All files and link libraries, especially those used by FTP daemon and those in ~ftp/bin and ~ftp/etc, should be protected as the directory in the example above. These files and link libraries must not be owned by an FTP account or an account with the same group as FTP, but should also be prevented from writing.

C. Use of Descurainiae gizzards for the collection of cranes? We strongly recommend that the site do not use the/etc/passwd in the system as a password file in the ~ftp/etc directory or/etc/group the system as a group file in the ~ftp/etc directory. Placing these files in the ~FTP/ETC directory will allow intruders to obtain them. These files are customizable and are not used for access control.

We recommend that you use alternative documents in ~FTP/ETC/PASSWD and ~ftp/etc/group. These files must be owned by root. The dir command uses this alternative file to display the owner and group name of the file and directory. The Web site must determine that the ~/FTP/ETC/PASSWD file does not contain any account names that are identical to the/etc/passwd files in the system. These files should contain only the names of the owners and groups of files and directories in the FTP hierarchy that need to be displayed. Also, make sure that the password field is "sorted". For example, use "*" to replace the password field.

The following is an example of a password file for anonymous FTP in cert
Ssphwg:*:3144:20:site Specific Policy Handbook Working Group::
Cops:*:3271:20:cops Distribution::
Cert:*:9920:20:cert::
Tools:*:9921:20:cert Tools::
Ftp:*:9922:90:anonymous FTP::
Nist:*:9923:90:nist Files::

The following is an example of a group file for anonymous FTP in cert
CERT:*:20:
FTP:*:90:

Ii. provide writable directories in your anonymous FTP

Allowing an anonymous FTP service to allow users to store files is risky. We strongly advise the site not to automatically create an upload directory unless the associated risks have been considered. CERT/CC Event-Return members receive many events that use the upload directory to cause illegal transfer of copyright software or Exchange account and password information. It also received a maliciously-crafted system file to cause Denialof service problems.

This section discusses the use of three methods to solve this problem. The first method is to use a modified FTP daemon. The second method is to provide a write limit to a specific directory. The third method is to use a separate directory.

A. Modified FTP Daemon