Security strategy: How to Cleverly set secure anonymous FTP

Source: Internet
Author: User
Keywords Secure can FTP FTP server
The following settings are made up of experience and suggestions from many websites in the past. We think that we can make the website with individual requirements have different choices. Setting up an anonymous ftpa.ftp daemon site must determine that the current version of the FTP daemon is currently in use. B Set anonymous FTP directory anonymous FTP root directory (~FTP) and its subdirectories owners can not be FTP account, or the same group with FTP account. This is a common setup problem. If these directories are owned by FTP or an account with the same group as FTP, and do not protect against write protection, intruders may add files or modify other files. Now many sites have root accounts, if the root directory of anonymous FTP and subdirectory owner is root, the group is system, so only Root has write power, which can help you maintain the security of the FTP service??? The following is an example of an anonymous FTP directory: drwxr-xr-x 7 root System 1 15:17./drwxr-xr-x root System 4 11:30. /drwxr-xr-x 2 root system 15:43 bin/drwxr-xr-x 2 root system 16:23 Etc/drwxr-xr-x root system 512 June 5 10:54 pub/all file and link libraries, especially those that are used by FTP daemon and those in ~ftp/bin and ~ftp/etc, should be protected in the same way as the directories in the example above. These files and link libraries must not be owned by an FTP account or an account with the same group as FTP, but should also be prevented from writing. C. We strongly recommend that the Web site do not use the passwd in the system as a password file in the ~ftp/etc directory or/etc/group the system as a group file in the ~ftp/etc directory. Placing these files in the ~FTP/ETC directory will allow intruders to obtain them. These files are customizable and are not used for access control. We recommend that you use alternative documents in ~FTP/ETC/PASSWD and ~ftp/etc/group. These files must be owned by root. The dir command uses this alternative file to display the owner and group name of the file and directory. The Web site must determine that the ~/FTP/ETC/PASSWD file does not contain any account names that are identical to the passwd files in the system. These files should contain only the FTP hierarchy that needs to be displayedThe owner of the file and the directory and the name of the group to which it belongs. Also, make sure that the password field is "sorted". For example, use "*" to replace the password field. The following is an example of the password file for anonymous FTP in CERT ssphwg:*:3144:20:site specific Policy Handbook sharable group::cops:*:3271:20:cops:: Cert:*:9920:20:cert::tools:*:9921:20:cert tools::ftp:*:9922:90:anonymous ftp::nist:*:9923:90:nist Files:: The following is an example of a group file for anonymous FTP in cert CERT:*:20:FTP:*:90:II. Providing writable directories in your anonymous FTP allows an anonymous FTP service to allow users to store files at risk. We strongly advise the site not to automatically create an upload directory unless the associated risks have been considered. Cert Event-Return members receive many events that use the upload directory to cause illegal transfer of copyright software or Exchange account and password information. It also received a maliciously-crafted system file that caused Denialof service problems. This section discusses the use of three methods to solve this problem. The first method is to use a modified FTP daemon. The second method is to provide a write limit to a specific directory. The third method is to use a separate directory. A. Modified FTP Daemon If your site is planning to provide a directory for uploading files, we recommend that you use the modified FTP daemon to control access to the directory where the files are uploaded. This is the best way to avoid using an unwanted write area. Here are some suggestions: 1. The file can no longer be accessed by the System Manager, and then put to the appropriate location for download. 2. Limit the size of each uploaded data online. 3. Limit the total amount of data transfer according to the existing disk size. 4. Increase login records to detect improper use in advance. If you want to modify the FTP daemon, you should be able to get the program code from the manufacturer, or you can obtain a public FTP program from the following source code: wuarchive.wustl.edu ~ftp/packages/ Wuarchive-ftpdftp.uu.net ~ftp/systems/unix/bsd-sources/libexec/ftpdgatekeeper.dec.com ~ftp/pub/DEC/gwtools/ FTPD.TAR.ZCERT/CC did not formally detect, evaluate or endorse the mentioned FTP daemon. To useThe FTP daemon is determined by each user or organization, and CERT recommends that each agency make a thorough assessment before installing these programs. B. Using protected directories if you want to provide an uploaded service at your FTP station and you can't modify the FTP daemon, we can use a more complex directory architecture to control access. This method requires prior planning and does not fully prevent FTP writable areas from being improperly used, although many FTP stations still use this method. To protect the top-level directory (~ftp/incoming), we only give anonymous users access to the directory (chmod 751~ftp/incoming). This action will enable the user to change the directory location (CD) but not allow the user to view the contents of the directory. Ex:drwxr-x--x 4 root system 13:29 incoming/in ~ftp/incoming use some directory names that only allow you to let people know that they upload. In order to make it difficult for others to guess the directory name, we can use the rules to set the password to set the directory name. Please do not use the directory name example in this article (avoid being found with your directory name and upload file) drwxr-x-wx root system 13:54 June JAJWUTH2/DRWXR-X-WX Root System One 13:54 mhall-if/very important point is that once the directory name is unintentionally leaked out, then this method has no protective effect. As long as the directory name is known to most people, it is not possible to protect those areas that are limited to use. If the directory name is known, then you have to choose to delete or change those directory names. C. Use only one hard drive: if you want to provide an uploaded service at your FTP station, and you can't modify the FTP daemon, you can focus all uploaded data on the same file system that hangs (Mount) on the ~ftp/incoming. If possible, hang a separate hard drive on the ~ftp/incoming. System managers should keep an open view of this directory (~ftp/incoming) so that they can know if there is a problem with the uploaded directory. Restricting FTP user Directory anonymous FTP can be a good way to limit the user's activity only within the specified directory, but the official FTP user will not be restricted by default, so he is free to read files in the root directory, system directory, and other user's directory that allow other users to read. How can the specified user be restricted to their own directory like anonymous users? Here are some examples of Red hat and wu-ftp. 1 ChuangBuild a group, with the Groupadd command, you can generally use the FTP group, or any group name.-----Related commands: Groupadd ftpuser-----related files:/etc/group-----related help: Man groupadd2 create a user, such as TestUser, set up user AddUser command. If you have previously established testuser this user, you can directly edit the passwd file and add the user to the Ftpuser group.-----Related commands: AddUser TESTUSER-G Ftpuser-----Related documents: passwd-----Related help: Man adduser3 modify/etc/ftpaccess file, add Guestgroup definition: Guestgroup Ftpuser I changed it this way, plus the last 5 lines compress Yes Alltar Yes allchmod no Anonymousdelete no Anonymousoverwrite no Anonymousrename no anony Mouschmod Yes Guestdelete Yes Guestoverwrite Yes Guestrename Yes Guestguestgroup ftpuser in addition to Guestgroup Ftpuser this line, the other 4 lines are also added , otherwise the user login, although can achieve the user cannot return the goal of the superior directory, but can only upload, can not overwrite, delete files!-----related commands: vi/etc/ftpaccess-----Related documents:/etc/ftpaccess-----related help: Man Ftpaccess,man CHROOT4 copies the necessary files to the user's root directory, copies the directory of the FTP server, and copies the bin,lib two directories under/home/ftp/to the root of the user, because some commands (mainly LS) You need LIB support, otherwise you cannot list directories and files.-----Related commands: Cp-rf/home/ftp/lib/home/testuser;cp-rf/home/ftp/bin/home/testuser5 Also do not forget to turn off the user's Telnet right, otherwise it will be done in vain oh. Why not let the user Telnet? Very simple: Add a line of Dev to/etc/shells, and then edit the passwd text directly, you can set the user's shell to dev.-----Related commands: vi/etc/passwd This step can be done first when you create a user in step 2.-----Related commands: AddUser testuser-g ftpuser-s/ Dev/null Small experience: As long as the/home/ftp bin and Lib directory cp to the Skel directory, the new user will automatically the bin and Lib directory CP to the user directory, of course, you can add public_ HTML directories and CGI directories. After the above settings, TestUser all FTP actions for this user will be limited to his/home/testuser directory. Responsible Editor Zhao Zhaoyi#51cto.com TEL: (010) 68476636-8001 to force (0 Votes) Tempted (0 Votes) nonsense (0 Votes) Professional (0 Votes) The title of the party (0 votes) passing (0 Votes) Original: Security strategy: How to Cleverly set secure anonymous FTP Back to network security home

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.