1. Prohibit system-level users from logging on to the FTP server.
To improve the security of the FTP server, it is best for the system administrator to set up a separate FTP account for the employee, rather than giving the system-level users to ordinary users, which brings great security risks. On the VSFTP server, you can use the configuration file vsftpd. ftpusers to manage the login account. However, this account is a blacklist, and the account owner cannot use the account to log on to the FTP server. After deploying the VSFTP server, we can use the vi command to view the configuration file and find that it already has many default accounts. Among them, the system's Super User root is also in it. It can be seen that for security reasons, by default, the VSFTP server prohibits the root account from logging on to the FTP server. If the system administrator wants root and other system accounts to log on to the FTP server, delete the relevant user names such as root in this configuration file. However, allowing the system account to log on to the FTP server has a negative impact on its security. Therefore, I do not recommend that the system administrator do this. Do not change the system account administrator in this file. Keep the settings of these accounts.
If you need to disable other accounts for other reasons, you can add the account name to this file. For example, the FTP server and database server may be deployed simultaneously on the server. To ensure security, it is a good practice to add the account of the database administrator to this blacklist.
2. strengthen control over anonymous users.
Anonymous users refer to those accounts that are not defined in the FTP server, and FTP System Administrators still need to log on to them for ease of management. However, they have not obtained server authorization. To improve server security, they must restrict their permissions. On the VSFTP server, many parameters can be used to control the permissions of anonymous users. The system administrator must configure the FTP server according to its security level. It should be noted that the stricter the permission Control for anonymous users, the higher the security of the FTP server, but the convenience of user access will also be reduced. Therefore, the system administrator still needs to achieve a balance between server security and convenience.
The following are some of my recommended configurations for anonymous users. If you do not know how to configure them, refer to these configurations. These configurations take into account server security and user convenience.
First, the anon_world_readable_only parameter. This parameter is mainly used to control whether anonymous users can download readable files from the FTP server. If the FTP server is deployed inside the enterprise and is mainly used by employees inside the Enterprise, set this parameter to YES. Then, some common enterprise tables and other publicly accessible files are placed on them, allowing employees to download these files anonymously. This will not affect the security of the FTP server, but also facilitate the operation of other employees.
The second is the anon_upload_enable parameter. This parameter indicates whether an anonymous user can upload files to the FTP server during anonymous access. In general, set this parameter to No. That is, users are not allowed to upload files during anonymous access. Otherwise, if anyone can upload a file, the company will not suffer if the other party uploads a virus file. Therefore, anonymous users are prohibited from uploading files. But this is also an exception. For example, some enterprises use the FTP protocol to back up files. In this case, if the enterprise network security is guaranteed, you can set this parameter to YES, that is, allow the operating system to call the FTP command to back up files on the FTP server.
