CTS 2311 (Unix/Linux Security)
Anonymouns FTP site Setup

The following is a brief list of tasks that must be done.  Evildoers often break into a system by taking advantage of an improper setup or old, buggy software.  Make sure you have the latest packages installed.

The proFTPd package is considered by many to be easy to configure and secure, so you may wish to download that.  However today most distributions provide vsftpd (very secure FTP).

Anonymous FTP Configuration Steps:

  1. Decide policy:  Who and when to allow ftp.  (Good idea: never use!  Use sftp and scp instead, part of ssh, and use the web for anonymous file downloads.)  Decide if an anonymous ftp site is needed, whether or not to use tcp wrappers (tcpd) (better to use).
  2. Decide procedures for people (e.g., employees, students, etc.) to request FTP access.  (e.g., a form to fill out, possibly on the intra-net web server.)
  3. Decide which software to use.  Current open source & free best is "vsftpd" (Very Secure FTP Daemon).  Many strange configuration files are in /etc/ftp*.  Note ftpusers is a list of who not to allow by default!
  4. Install the latest version of your chosen software.  Make sure to use a recent version with all known security patches applied.
  5. Edit inetd.conf, hosts.allow, and hosts.deny in /etc.  (On Solaris, inetd.conf is found in /etc/inet.)  A kill -HUP pid will restart inetd.  The inetd entries look something like this:
    ftp stream tcp nowait root  /path/to/vsftpd in.ftpd
    ftp stream tcp nowait root  /usr/sbin/tcpd  in.ftpd   # TCP Wrappers
    Modern Linux systems use xinetd instead of inetd.  Edit /etc/xinetd.d/vsftpd, and change "disable = yes" to "disable = no":
    service ftp
            socket_type             = stream
            wait                    = no
            user                    = root
            flags                   = NAMEINARGS
    #        server                  = /usr/sbin/tcpd
            server_args             = /usr/sbin/vsftpd
            log_on_success          += DURATION USERID
            log_on_failure          += USERID
            nice                    = 10
            disable                 = no
  6. Create the directory for the anonymous ftp site.  Common locations are /home/ftp (old RH default location), /var/ftp (modern RH default and my preference).  This site will have many subdirectories:  pub for all available content, etc, lib, bin, incoming or uploads (To allow anonymous uploads).  These files and directories should all be owned by root and have group ftp unless otherwise noted.  The permissions should be:
    anonymous FTP files and directories, and their permissions
    File or Directory Permissions Comments
    ~ftp/bin/ls111 (use ldd ls to find libraries for lib), (other pgms: gzip?)
    444 (three entries only: root, ftp, daemon)
    ~ftp/pub2755The Leading "2" means "+SetGID"
    ~ftp/incoming1777 (or 1311 = upload only); The leading "1" means "+sticky/text"
    ~ftp/lib/*555 add copies of needed libraries (symlinks won't work)
    ~ftp/usr/bin555(Solaris only)
    ~ftp/etc/nsswitch.conf644(Solaris only)
    ~ftp/dev/{tcp,udp,zero,...}666 (Solaris only; may need matching entries from /devices)
  7. For extra layers of safety, create immutable empty versions of dangerous files:
    cp /dev/null ~ftp/.forward
    cp /dev/null ~ftp/.rhosts
    chmod 0400 ~ftp/.forward ~ftp/.rhosts
    chattr +i ~ftp/.forward ~ftp/.rhosts # only for filesystems such as
                                         # EXT3 that support this option
  8. Add an ftp user account, which account is used for anonymous ftp access only.  Make sure this account has no valid password or login shell On Linux /etc/shells lists all valid shells, and you can add /bin/false or /sbin/nologin to that list).  This user's home directory should be the anonymous ftp site's pub directory.  For security you need to chroot to ~ftp.  This is done with wu-ftp by putting an extra dot in the path in for the ftp user's home directory, in /etc/passwd/var/ftp/./pub.
  9. Configure your FTP server.  This should include ftpusers, logging options, and creating or editing a welcome message.

Running in a chroot jail

to be completed...