Securing FTP
The File Transport Protocol (FTP) is an older TCP protocol designed to transfer files over a network. Because all transactions with the server, including user authentication, are unencrypted, it is considered an insecure protocol and should be carefully configured.
Red Hat Linux provides four FTP servers.
gssftpd — A kerberized FTP daemon which does not pass authentication information over the network.
Red Hat Content Accelerator (tux) — A kernel-space Web server with FTP capabilities.
vsftpd — A simplified, security oriented implementation of the FTP service.
wu-ftpd — A highly configurable, full-featured FTP daemon.
The following security guidelines are for setting up the wu-ftpd and vsftpd services.
 | Important |
|---|---|
If you activate both the wu-ftpd and vsftpd services, xinetd will only activate vsftpd because it comes first alphabetically. |
FTP Warning Banner
Returning a customized banner to FTP clients when they connect is a good idea, as it helps disguise what system the FTP server is running on. You can send banners to incoming connections either using TCP wrappers as described in the Section called TCP Wrappers and Connection Banners or as described below.
For vsftpd, add the following line to its xinetd configuration file, /etc/xinetd.d/vsftpd:
banner /etc/banners/warning.msg |
For wu-ftpd add the exact same line to its configuration file, /etc/ftpaccess.
The contents of the banner file for vsftpd should look something like this:
220-Hello, all activity on ftp.example.com is logged. |
 | Note |
|---|---|
The 220- is not necessary when in the banner file for wu-ftpd. |
FTP Greeting Banner
After login all users are presented with a greeting banner. By default, this banner includes version information useful to crackers trying to identify weaknesses in a system.
To change the greeting banner for wu-ftpd, add the following directive to /etc/ftpusers:
greeting text <insert_greeting_here> |
To change the greeting banner for vsftpd, add the following directive to /etc/vsftpd.conf:
ftpd_banner=<insert_greeting_here> |
Anonymous Access
For both wu-ftpd and vsftpd, the presence of the /var/ftp/ directory activates the anonymous account.
The easiest way to create this directory is to install the anonftp package. This package sets the directory tree up for the anonymous user and sets up the permissions to read-only for anonymous users.
By default the anonymous user cannot write to any directories.
 | Caution |
|---|---|
If enabling anonymous access to an FTP server, be careful where you store sensitive data. |
Anonymous Upload
If you want to allow anonymous users to upload, it is recommended you create a write-only directory within /var/ftp/pub/.
To do this type:
mkdir /var/ftp/pub/upload |
Next change the permissions so that anonymous users cannot see what is within the directory by typing:
chmod 733 /var/ftp/pub/upload |
A long format listing of the directory should look like this:
drwxr--r-- 2 root ftp 4096 Aug 20 18:26 upload |
 | Warning |
|---|---|
Administrators who allow anonymous users to read and write in directories often find that their server become a repository of stolen software. |
User Accounts
Because FTP passes unencrypted usernames and passwords over insecure networks for authentication, it is a good idea to deny system users access to the server from their user accounts.
To disable user accounts in wu-ftpd, add the following directive to /etc/ftpusers:
deny-uid * |
To disable user accounts in vsftpd, add the following directive to /etc/vsftpd.conf:
local_enable=NO |
Restricting User Accounts
The easiest way to disable a specific group of accounts, such as the root user and those with sudo privileges from accessing th FTP server is to use a PAM list file as described in the Section called Disabling Root Using PAM in Chapter 4. The PAM configuration file for wu-ftpd is /etc/pam.d/ftp. The PAM configuration file for vsftpd is /etc/pam.d/vsftpd.
It is also possible to perform this test within each service directly.
To disable specific user accounts in wu-ftpd, add the username to /etc/ftpusers:
To disable specific user accounts in vsftpd, add the username to /etc/vsftpd.ftpusers:
Use TCP Wrappers To Control Access
You can use TCP wrappers to control access to either FTP daemon as outlined in the Section called Enhancing Security With TCP Wrappers.
Use xinetd To Control the Load
You can use xinetd to control the amount of resources the FTP server consumes and to limit the effects of denial of service attacks. See the Section called Enhancing Security With xinetd for more on how to do this.