Controlling FTP Access

Previous page
Table of content
Next page

FTP access is not something you should enable lightly. Although it's crucial for your users to have access to FTP for uploading files (such as web pages) to your server, it's also a potential source of security issuesit's a clear-text mechanism, meaning that all data (including passwords) is transmitted unencrypted and available to anybody eavesdropping with packet-sniffing software.

As you'll learn in Chapter 30, most major clear-text services can be superseded by a secure equivalent: Telnet with SSH, HTTP with Secure HTTP, and POP3 and IMAP with their own built-in encryption layers. FTP, however, is inherently insecure, and although several secure solutions have been put forth (such as the sftp command built into the OpenSSH package), unencrypted FTP holds out as the last widely used insecure data-transfer protocol, difficult to replace and a virtual requirement for a fully functional server. Many modern FTP client applications can support secure FTP, but it's still not built into the basic FTP mechanisms in Windows and Mac OS X, so traditional unencrypted FTP is still a widely demanded service for most users. You learn more about how to secure FTP at the end of this chapter and in Chapter 30; meanwhile, be aware that special care must be taken when enabling FTP access to your users to ensure your system's security.

With this in mind, you need a way to lock out certain users from being able to connect to the system via FTP. This can be done in a number of ways. The two most convenient involve the /etc/ftpusers and /etc/shells files. A third, /var/run/nologin, controls whether the server accepts connections at all.

The /etc/ftpusers File

The simplest way to forbid a certain individual user (or a group of users) from connecting to the FTP server is to add that user's login name to the /etc/ftpusers file, which exists in the default FreeBSD installation and contains the names of the various system pseudousers (such as operator, bin, tty, and so on). These users have null passwords, and ftpd will not allow anyone with a null password to connect anyway; but keeping these usernames in /etc/ftpusers, which rejects them explicitly by name, provides an extra layer of security.

You can add any username to the file, and because ftpd reads all relevant configuration files with each new connection, there's no need to restart any processes. Try connecting to the FTP server as a disallowed user, and you should get a response similar to the following:

# ftp localhost Connected to localhost.example.com. 220 stripes.example.com FTP server (Version 6.00LS) ready. Name (localhost:frank): 530 User frank access denied. ftp: Login failed. ftp>


Note

The access denied message appears immediately after the server receives the usernameit doesn't prompt for a password. This prevents passwords from being sent over the wire, providing an extra security precaution in the case where you've disabled a user out of concern regarding an eavesdropper sniffing for passwords.


You can also add any group name to /etc/ftpusers; simply precede the name with an "at" (@) symbol (for example, @users). Any user who is part of any group listed in the file will be disallowed access.

The /etc/shells File

After seeing whether the user is listed in /etc/ftpusers, ftpd checks the shell associated with the user and sees whether it's listed in /etc/shells. If it isn't, the user will get the same kind of access denied message as with /etc/ftpusers. You can leverage this functionality to prevent a user from logging in with a terminal program or with FTP by changing the user's shell to /sbin/nologin (which you saw in Chapter 9it simply prints out an account not available message and exits, and it's not listed in /etc/shells) or something similarly constructed.

The /var/run/nologin File

To turn off FTP logins completely, without modifying /etc/inetd.conf or any other such config files, you can simply place a file called nologin in /var/run. If ftpd sees this file, it will respond to all connections as follows:

# ftp localhost Connected to localhost.example.com. 530 System not available. ftp>


You can enter touch /var/run/nologin to create the file (with zero length) and disable FTP logins. Remove the file (rm /var/run/nologin) to reenable the FTP server.



Previous page
Table of content
Next page
FreeBSD 6 Unleashed
FreeBSD 6 Unleashed
ISBN: 0672328755
EAN: 2147483647
Year: 2006
Pages: 355
Authors: Brian Tiemann
BUY ON AMAZON
Java I/O
Excel Scientific and Engineering Cookbook (Cookbooks (OReilly))
The New Solution Selling: The Revolutionary Sales Process That Is Changing the Way People Sell [NEW SOLUTION SELLING 2/E]
Lotus Notes Developers Toolbox: Tips for Rapid and Successful Deployment
Practical Intrusion Analysis: Prevention and Detection for the Twenty-First Century: Prevention and Detection for the Twenty-First Century
Visual Studio Tools for Office(c) Using C# with Excel, Word, Outlook, and InfoPath
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy