• Embed Doc
  • Copy Link
  • Readcast
  • Collections
  • CommentGo Back
Download
 
Anonymous FTP FAQ
Version: 3.00
 
How to Set up a Secure Anonymous FTP Site
The following is a FAQ on setting up a secure FTP Site. FTP sites are known for muchabuse by transferring illegal files. They also open many oppurtunities for intruders to gainaccess via misconfigured setups. And lastly many versions of ftp servers have hadsecurity holes. This FAQ is intended to clean up this abuse by allowing administrators togo through this check list of steps to make sure their FTP is correctly configured and thatthey are running the most current ftp daemon.This is organized in the following fashion, I am breaking into several parts as follows:1.General Description of Setting up an "Anonymous" FTP server.2.Setting up a chrooted Secure Anonymous FTP server.3.OS Specific needed information and suggestions.
o
Older SVR2 and SVR3 system, RTU 6.0 (Masscomp, now ConcurrentReal Time UNIX), and AT&T 3B1 and 3B2 machines
o
HPUX
o
Solaris 2.x
o
SunOS4.Where to get other FTP daemons5.How to Know if your Anonymous FTP Server is Secure6.Archie
1. General Description of Setting up an "anonymous" ftp server.
1.Create the user ftp in /etc/passwd. Use a misc group. The user's home directorywill be ~ftp where ~ftp is the root you wish anonymous users to see. Creating thisuser turns on anonymous ftp.Use an invalid password and user shell for better security. The entry in the passwdfile should look something like:ftp:*:400:400:Anonymous FTP:/home/ftp:/bin/true2.Create the home directory ~ftp. Make the directory owned by root (NOT ftp) withthe same group as ftp. Thus, owner permissions are for root and group permissions are for the anonymous users. Set the permissions for ~ftp to 555(read, nowrite, execute).
 
Warning:
Some MAN pages recommend making the ~ftp directory owned by ftp.This is a big NO-NO, if you want any type of security on your system.3.Create the directory ~ftp/bin. This directory is owned by root (group e.g. wheel)with permissions 111 (noread, nowrite, execute).4.Copy the program ls into ~ftp/bin. ls is owned by root with permissions 111(noread, nowrite, execute). Any other commands you put in ~ftp/bin should havethe same permissions as well.5.Make the directory ~ftp/etc. This directory is owned by root with permissions 111.6.Create from scratch the files /etc/passwd and /etc/group in ~ftp/etc. These filesshould be mode 444. The passwd file should only contain root, daemon, uucp, andftp. The group file must contain ftp's group. Use your /etc/passwd and /etc/groupfiles as a template for creating passwd and group files going to ~ftp/etc. You mayeven change the user names in this file, they are used only for 'ls' command. Sofor example if all files in your ~ftp/pub/linux hierarchy will be maintained by areal user 'balon' with uid=156 you may putlinux:*:156:120:Kazik Balon::in the ~ftp/etc/passwd file (regardless of his real username). Leave only theseusers who will own files under ftp hierarchy (e.g. root, daemon, ftp...) anddefinitely remove *ALL* passwords by replacing them with '*' so the entry lookslike:root:*:0:0:Ftp maintainer::ftp:*:400:400: Anonymous ftp::For more security, you can just remove ~ftp/etc/passwd and ~ftp/etc/group (theeffect is that ls -l will not show the directories' group names). Wuarchive ftpdaemon (and some others) have some extensions based on the contents of thegroup/passwd files, so read the appropriate documentation.7.Make the directory ~ftp/pub. This directory is owned by you and has the samegroup as ftp with permissions 555. On most systems (like SunOS) you may wantto make this directory 2555, ie. set-group-id, in order to create new files with thesame group ownership.Files are left here for public distribution. All folders inside ~ftp/pub should havethe same permissions as 555.
Warning:
 Neither the home directory (~ftp) nor any directory below it should beowned by ftp! No files should be owned by ftp either. Modern ftp daemonssupport all kinds of useful commands, such as chmod, that allow outsiders toundo your careful permission settings. They also have configuration options likethe following (WuFTP) to disable them:
 
# all the following default to "yes" for everybodydelete no guest,anonymous # deletepermission?overwrite no guest,anonymous # overwritepermission?rename no guest,anonymous # renamepermission?chmod no anonymous # chmodpermission?umask no anonymous # umaskpermission?
8.If you wish to have a place for anonymous users to leave files, create the directory~ftp/pub/incoming. This directory is owned by root with permissions 733. Do a'chmod +t ~ftp/pub/incoming'. The ftp daemon will normally not allow ananonymous user to overwrite an existing file, but a normal user of the systemwould be able to delete anything. By setting the mode to '1733' you prevent thisfrom happening. In wuftpd you may configure the daemon to create new fileswith permissions '600' owned by root or any other user. Many times, incomingdirectories are abused by exchanging pirated and pornographic material. Abusersoften create hidden directories there for this purpose. Making the incomingdirectory unreadable by anonymous ftp helps to some extent. With ordinary ftpsevers there is no way to prevent directories being created in incoming. TheWUarchive ftp server can limit uploads to certain directories and can restrictcharacters used in file names like this:
9.10.# specify the upload directory information11.12.upload /var/spool/ftp * no13.14.upload /var/spool/ftp /incoming yes ftp staff0600 nodirs15.16.17.18.# path filters# path-filter...19.20.path-filter anonymous /etc/msgs/pathmsg ^[-A-Za-z0-9_\.]*$^\. ^-21.22.path-filter guest /etc/msgs/pathmsg ^[-A-Za-z0-9_\.]*$^\. ^-23.
of 00

Leave a Comment

You must be to leave a comment.
Submit
Characters: ...
You must be to leave a comment.
Submit
Characters: ...