The following is a brief list of tasks that must be done. Evildoers often break into a system by taking advantage of an improper setup or old, buggy software. Make sure you have the latest packages installed.
The proFTPd package is considered by many to be easy to configure and secure, so you may wish to download that. However today most distributions provide vsftpd (very secure FTP).
sftp
and scp
instead,
part of ssh
, and use the web for anonymous file downloads.)
Decide if an anonymous ftp site is needed,
whether or not to use tcp wrappers (tcpd
)
(better to use). vsftpd
"
(Very Secure FTP Daemon).
Many strange configuration files are in /etc/ftp*
.
Note ftpusers
is a list of who not to allow
by default! inetd.conf
, hosts.allow
,
and hosts.deny
in /etc
.
(On Solaris, inetd.conf
is found in /etc/inet
.)
A kill -HUP pid
will restart inetd
.
The inetd
entries look something like this:
ftp stream tcp nowait root /path/to/vsftpd in.ftpd ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd # TCP WrappersModern Linux systems use
xinetd
instead of
inetd
.
Edit /etc/xinetd.d/vsftpd
, and change
"disable = yes
" to "disable = no
":
service ftp { socket_type = stream wait = no user = root flags = NAMEINARGS # server = /usr/sbin/tcpd server_args = /usr/sbin/vsftpd log_on_success += DURATION USERID log_on_failure += USERID nice = 10 disable = no }
/home/ftp
(old RH default location),
/var/ftp
(modern RH default and my preference).
This site will have many subdirectories:
pub
for all available content, etc
,
lib
, bin
, incoming
or
uploads
(To allow anonymous uploads).
These files and directories should all be owned by root
and have group ftp
unless otherwise noted.
The permissions should be:
File or Directory | Permissions | Comments |
---|---|---|
~ftp | 555 | |
~ftp/bin | 555 | |
~ftp/bin/ls | 111 | (use ldd ls to find libraries for lib), (other pgms: gzip?) |
~ftp/etc | 555 | |
~ftp/etc/passwd ~ftp/etc/group | 444 | (three entries only: root ,
ftp , daemon ) |
~ftp/pub | 2755 | The Leading "2" means "+SetGID" |
~ftp/incoming | 1777 | (or 1311 = upload only); The leading "1" means "+sticky/text" |
~ftp/lib | 755 | |
~ftp/lib/* | 555 | add copies of needed libraries (symlinks won't work) |
~ftp/usr/bin | 555 | (Solaris only) |
~ftp/etc/nsswitch.conf | 644 | (Solaris only) |
~ftp/dev/{tcp,udp,zero,...} | 666 | (Solaris only; may need matching entries from /devices) |
cp /dev/null ~ftp/.forward cp /dev/null ~ftp/.rhosts chmod 0400 ~ftp/.forward ~ftp/.rhosts chattr +i ~ftp/.forward ~ftp/.rhosts # only for filesystems such as # EXT3 that support this option
ftp
user account,
which account is used for anonymous ftp access only.
Make sure this account has no valid password or login shell
On Linux /etc/shells
lists all valid shells,
and you can add /bin/false
or /sbin/nologin
to that list).
This user's home directory should be the anonymous ftp site's pub
directory.
For security you need to chroot
to ~ftp
.
This is done with wu-ftp by putting an extra dot in the path in for the ftp user's
home directory, in /etc/passwd
:
/var/ftp/./pub
. ftpusers
, logging options, and
creating or editing a welcome message. chroot
jail to be completed...