The following is a brief list of tasks that must be done.
Evildoers often break into a system by taking advantage of an
improper setup or old, buggy software.
Make sure you have the latest WU-FTP
packages installed.
The proFTPd
package is considered by many to be easier
to configure and more secure, so you may wish to download that instead.
sftp
instead,
part of ssh
.)
Decide if an anonymous ftp site is needed,
whether or not to use tcp wrappers (tcpd
)
(better to use).vsftpd
"
(Very Secure FTP Daemon).
Many strange configuration files are in /etc/ftp*
.
Note ftpusers
is a list of who not to allow!
Edit ftpaccess
for main configuration.
wu-ftpd-2.6.1-20
, ncftp-3.0.3-6
,
anonftp-4.0-9
, and ftp-0.17-12
as of 6/17/02.)inetd.conf
, hosts.allow
,
and hosts.deny
in /etc
.
(On Solaris, inetd.conf
is found in /etc/inet
.)
A kill -HUP pid
will restart inetd
:
ftp stream tcp nowait root /path/to/wuftpd in.ftpd -laio ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd -l -a # TCP WrappersModern Linux systems use
xinetd
instead of
inetd
.
Edit /etc/xinetd.d/wu-ftp
, and change
disable = yes
to disable = no
:
service ftp { socket_type = stream wait = no user = root flags = NAMEINARGS server = /usr/sbin/tcpd server_args = /usr/sbin/in.ftpd -l -a log_on_success += DURATION USERID log_on_failure += USERID nice = 10 disable = no }
/home/ftp
(old RH default location),
/var/ftp
(modern RH default and my preference).
This site will have many subdirectories:
pub
for all available content, etc
,
lib
, bin
, incoming
or
uploads
(To allow anonymous uploads).
These files and directories should all be owned by root
and have group ftp
unless otherwise noted.
The permissions should be:
File or Directory | Permissions | Comments | ||
---|---|---|---|---|
~ftp | 555 | |||
~ftp/bin | 555 | |||
~ftp/bin/ls | 111 | (use ldd ls to find libraries for lib), (other pgms gzip?) | ||
~ftp/etc | 555 | |||
~ftp/etc/passwd ~ftp/etc/group | 444 | (three entries only: root, ftp, daemon) | ||
~ftp/pub | 2755 | The Leading "2" means "+SetGID" | ||
~ftp/incoming | 1777 | (or 1311 = upload only); The leading "1" means "+sticky" | ||
~ftp/lib | 755 | |||
~ftp/lib/* | 555 | add copies of needed libraries (symlinks won't work) | ||
~ftp/usr/bin | 555 | (Solaris only) | ||
~ftp/etc/nsswitch.conf | 644 | (Solaris only) | ||
~ftp/dev/{tcp,udp,zero,...} | 666 | (Solaris only; may need matching entries from /devices) | ||
~ftp/{.forward,.rhosts} | 0400 | These should be empty (zero length) files |
ftp
user account,
which account is used for anonymous ftp access only.
Make sure this account has no valid password or login shell
On Linux /etc/shells
lists all valid shells,
and you can add /bin/false
or /sbin/nologin
to that list).
This user's home directory should be the anonymous ftp site's pub
directory.
For security you need to chroot
to ~ftp
.
This is done by putting an extra dot in the path in /etc/passwd
:
/home/ftp/./pub
or /var/ftp/./pub
.to be completed...