The following is a brief list of tasks that must be done. Evildoers often break into a system by taking advantage of an improper setup or old, buggy software. Make sure you have the latest packages installed.
The proFTPd package is considered by many to be easy to configure and secure, so you may wish to download that. However today most distributions provide vsftpd (very secure FTP).
sftp and scp instead,
part of ssh, and use the web for anonymous file downloads.)
Decide if an anonymous ftp site is needed,
whether or not to use tcp wrappers (tcpd)
(better to use). vsftpd"
(Very Secure FTP Daemon).
Many strange configuration files are in /etc/ftp*.
Note ftpusers is a list of who not to allow
by default! inetd.conf, hosts.allow,
and hosts.deny in /etc.
(On Solaris, inetd.conf is found in /etc/inet.)
A kill -HUP pid will restart inetd.
The inetd entries look something like this:
ftp stream tcp nowait root /path/to/vsftpd in.ftpd ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd # TCP WrappersModern Linux systems use
xinetd instead of
inetd.
Edit /etc/xinetd.d/vsftpd, and change
"disable = yes" to "disable = no":
service ftp
{
socket_type = stream
wait = no
user = root
flags = NAMEINARGS
# server = /usr/sbin/tcpd
server_args = /usr/sbin/vsftpd
log_on_success += DURATION USERID
log_on_failure += USERID
nice = 10
disable = no
}
/home/ftp (old RH default location),
/var/ftp (modern RH default and my preference).
This site will have many subdirectories:
pub for all available content, etc,
lib, bin, incoming or
uploads (To allow anonymous uploads).
These files and directories should all be owned by root
and have group ftp unless otherwise noted.
The permissions should be:
| File or Directory | Permissions | Comments |
|---|---|---|
| ~ftp | 555 | |
| ~ftp/bin | 555 | |
| ~ftp/bin/ls | 111 | (use ldd ls to find libraries for lib), (other pgms: gzip?) |
| ~ftp/etc | 555 | |
| ~ftp/etc/passwd ~ftp/etc/group | 444 | (three entries only: root,
ftp, daemon) |
| ~ftp/pub | 2755 | The Leading "2" means "+SetGID" |
| ~ftp/incoming | 1777 | (or 1311 = upload only); The leading "1" means "+sticky/text" |
| ~ftp/lib | 755 | |
| ~ftp/lib/* | 555 | add copies of needed libraries (symlinks won't work) |
| ~ftp/usr/bin | 555 | (Solaris only) |
| ~ftp/etc/nsswitch.conf | 644 | (Solaris only) |
| ~ftp/dev/{tcp,udp,zero,...} | 666 | (Solaris only; may need matching entries from /devices) |
cp /dev/null ~ftp/.forward
cp /dev/null ~ftp/.rhosts
chmod 0400 ~ftp/.forward ~ftp/.rhosts
chattr +i ~ftp/.forward ~ftp/.rhosts # only for filesystems such as
# EXT3 that support this option
ftp user account,
which account is used for anonymous ftp access only.
Make sure this account has no valid password or login shell
On Linux /etc/shells lists all valid shells,
and you can add /bin/false or /sbin/nologin
to that list).
This user's home directory should be the anonymous ftp site's pub
directory.
For security you need to chroot to ~ftp.
This is done with wu-ftp by putting an extra dot in the path in for the ftp user's
home directory, in /etc/passwd:
/var/ftp/./pub. ftpusers, logging options, and
creating or editing a welcome message. chroot jail to be completed...