CTS 2311 (Unix/Linux Security)
Anonymouns FTP site Setup

The following is a brief list of tasks that must be done.  Evildoers often break into a system by taking advantage of an improper setup or old, buggy software.  Make sure you have the latest WU-FTP packages installed.

The proFTPd package is considered by many to be easier to configure and more secure, so you may wish to download that instead.

Anonymous FTP Configuration Steps:

  1. Decide policy:  Who and when to allow ftp.  (Good idea: never use, use sftp instead, part of ssh.) Decide if an anonymous ftp site is needed, whether or not to use tcp wrappers (tcpd) (better to use).
  2. Decide procedures for people (e.g., employees, students, etc.) to request FTP access.  (e.g., a form to fill out, possibly on the intra-net web server.)
  3. Decide which software to use.  Current open source & free best is "vsftpd" (Very Secure FTP Daemon). 

    Note! the following steps are fro wu-ftpd on old RH 7.2! This will be updated.

    Many strange configuration files are in /etc/ftp*.  Note ftpusers is a list of who not to allow!  Edit ftpaccess for main configuration.

  4. Install the latest version of your chosen software.  Make sure to use a recent version with all known security patches applied.  (Use these FTP related packages on RH7.2:  wu-ftpd-2.6.1-20, ncftp-3.0.3-6, anonftp-4.0-9, and ftp-0.17-12 as of 6/17/02.)
  5. Edit inetd.conf, hosts.allow, and hosts.deny in /etc.  (On Solaris, inetd.conf is found in /etc/inet.)  A kill -HUP pid will restart inetd:
    ftp stream tcp nowait root  /path/to/wuftpd in.ftpd -laio
    ftp stream tcp nowait root  /usr/sbin/tcpd  in.ftpd -l -a    # TCP Wrappers
    Modern Linux systems use xinetd instead of inetd.  Edit /etc/xinetd.d/wu-ftp, and change disable = yes to disable = no:
    service ftp
            socket_type             = stream
            wait                    = no
            user                    = root
            flags                   = NAMEINARGS
            server                  = /usr/sbin/tcpd
            server_args             = /usr/sbin/in.ftpd -l -a
            log_on_success          += DURATION USERID
            log_on_failure          += USERID
            nice                    = 10
            disable                 = no

  6. Create the directory for the anonymous ftp site.  Common locations are /home/ftp (old RH default location), /var/ftp (modern RH default and my preference).  This site will have many subdirectories:  pub for all available content, etc, lib, bin, incoming or uploads (To allow anonymous uploads).  These files and directories should all be owned by root and have group ftp unless otherwise noted.  The permissions should be:
    anonymous FTP files and directories, and their permissions
    File or Directory   Permissions   Comments
    ~ftp 555 
    ~ftp/bin 555 
    ~ftp/bin/ls 111  (use ldd ls to find libraries for lib), (other pgms gzip?)
    ~ftp/etc 555 
    444  (three entries only: root, ftp, daemon)
    ~ftp/pub 2755  The Leading "2" means "+SetGID"
    ~ftp/incoming 1777  (or 1311 = upload only); The leading "1" means "+sticky"
    ~ftp/lib 755 
    ~ftp/lib/* 555  add copies of needed libraries (symlinks won't work)
    ~ftp/usr/bin 555  (Solaris only)
    ~ftp/etc/nsswitch.conf 644  (Solaris only)
    ~ftp/dev/{tcp,udp,zero,...} 666  (Solaris only; may need matching entries from /devices)
    ~ftp/{.forward,.rhosts} 0400  These should be empty (zero length) files

  7. Add an ftp user account, which account is used for anonymous ftp access only.  Make sure this account has no valid password or login shell On Linux /etc/shells lists all valid shells, and you can add /bin/false or /sbin/nologin to that list).  This user's home directory should be the anonymous ftp site's pub directory.  For security you need to chroot to ~ftp.  This is done by putting an extra dot in the path in /etc/passwd/home/ftp/./pub or /var/ftp/./pub.

Running in a chroot jail

to be completed...