Securing FTP

The File Transfer Protocol (FTP) is an older TCP protocol designed to transfer files over a network. Because all transactions with the server, including user authentication, are unencrypted, it is considered an insecure protocol and should be carefully configured.

Community Enterprise Linux provides three FTP servers.

The following security guidelines are for setting up the vsftpd FTP service.

FTP Greeting Banner

Before submitting a username and password, all users are presented with a greeting banner. By default, this banner includes version information useful to crackers trying to identify weaknesses in a system.

To change the greeting banner for vsftpd, add the following directive to the /etc/vsftpd/vsftpd.conf file: 

ftpd_banner=<insert_greeting_here>

Replace <insert_greeting_here> in the above directive with the text of the greeting message.

For mutli-line banners, it is best to use a banner file. To simplify management of multiple banners, place all banners in a new directory called /etc/banners/. The banner file for FTP connections in this example is /etc/banners/ftp.msg. Below is an example of what such a file may look like: 

######### # Hello, all activity on ftp.example.com is logged. #########

It is not necessary to begin each line of the file with 220 as specified in .

To reference this greeting banner file for vsftpd, add the following directive to the /etc/vsftpd/vsftpd.conf file: 

banner_file=/etc/banners/ftp.msg

Make sure that you specify the path to the banner file correctly in /etc/vsftpd/vsftpd.conf, or else every attempt to connect to vsftpd will result in the connection being closed immediately and a OOPS: cannot open banner <path_to_banner_file> error message.

Note that the banner_file directive in /etc/vsftpd/vfsftpd.conf takes precedence over any ftpd_banner directives in the configuration file: if banner_file is specified, then ftpd_banner is ignored.

It also is possible to send additional banners to incoming connections using TCP Wrappers as described in .

Anonymous Access

The presence of the /var/ftp/ directory activates the anonymous account.

The easiest way to create this directory is to install the vsftpd package. This package establishes a directory tree for anonymous users and configures the permissions on directories to read-only for anonymous users.

By default the anonymous user cannot write to any directories.

If enabling anonymous access to an FTP server, be aware of where sensitive data is stored.

Anonymous Upload

To allow anonymous users to upload files, it is recommended that a write-only directory be created within /var/ftp/pub/.

To do this, type the following command: 

mkdir /var/ftp/pub/upload

Next, change the permissions so that anonymous users cannot view the contents of the directory: 

chmod 730 /var/ftp/pub/upload

A long format listing of the directory should look like this: 

drwx-wx---    2 root     ftp          4096 Feb 13 20:05 upload

Administrators who allow anonymous users to read and write in directories often find that their servers become a repository of stolen software.

Additionally, under vsftpd, add the following line to the /etc/vsftpd/vsftpd.conf file: 

anon_upload_enable=YES

User Accounts

Because FTP transmits unencrypted usernames and passwords over insecure networks for authentication, it is a good idea to deny system users access to the server from their user accounts.

To disable all user accounts in vsftpd, add the following directive to /etc/vsftpd/vsftpd.conf: 

local_enable=NO

Restricting User Accounts

To disable FTP access for specific accounts or specific groups of accounts, such as the root user and those with sudo privileges, the easiest way is to use a PAM list file as described in . The PAM configuration file for vsftpd is /etc/pam.d/vsftpd.

It is also possible to disable user accounts within each service directly.

To disable specific user accounts in vsftpd, add the username to /etc/vsftpd.ftpusers

Use TCP Wrappers To Control Access

Use TCP Wrappers to control access to either FTP daemon as outlined in .