The Secure FTP Server
One of the big drawbacks of a regular FTP server is security. You can configure a secure FTP server as discussed in Chapter 23 , but encryption can hurt performance. And the sftp commands are not standard.
One compromise is the Very Secure FTP server, vsFTP. Red Hat has made it the default and only FTP server for Red Hat Linux 9. I ve included references to the former Red Hat Linux default FTP server, WU-FTP, for those familiar with older versions of Red Hat.
While it does not encrypt communications, vsFTP does avoid some of the security problems commonly associated with WU-FTP. It s used as a standard FTP server for a number of sites, including ftp.redhat.com . It can be configured for anonymous or real users. In fact, the home page for this server ( http://vsftpd.beasts.org ) suggests that it is faster than WU-FTP.
vsFTP shares a number of characteristics with WU-FTP. Where possible, in the sections that follow we refer to configuration files we ll examine later in our discussion of WU-FTP.
Basic Security Features
The commands associated with vsFTP are normally configured with minimal privileges; this reduces the risk of a cracker using one of these commands to gain root access to your system.
Configuration Files
The vsFTP package includes configuration files in the /etc directory. Two of these files, vsftpd.ftpusers and vsftpd.user_list , essentially disallow access from privileged users. This list is simple; it includes a list of users, such as root, bin, and adm. The main configuration file is /etc/vsftpd/vsftpd.conf . The following is a line-by-line analysis of the default configuration file, which includes several options. More details are available via the man vsftpd.conf command.
I ve included the entire file with my own comments to help you understand each command.
# Example config file /etc/vsftpd.conf # # The default compiled in settings are very paranoid. This sample file # loosens things up a bit, to make the ftp daemon more usable. # # Allow anonymous FTP? anonymous_enable=YES
The first notes, starting with the # , are comments. You may have noticed that the first comment line is wrong; it reflects the old location of the vsftpd.conf file. By default, vsFTP allows anonymous access with the previous command. Users can log anonymously as user anonymous or ftp.
# Uncomment this to allow local users to log in. local_enable=YES
The default Red Hat configuration l ocal-enable variable allows users with a regular account on the FTP server to log in as real users.
# Uncomment this to enable any form of FTP write command. write_enable=YES
These users have access to all directories on the FTP server, including the root ( / ) directory. You may want to comment out the write_enable command; otherwise , logged in users have a dangerous level of access to your system. You can also configure all access to an unprivileged user, as described later with the nopriv_user variable.
To minimize the problem, you could add the chroot_local_user=YES command, which prevents users from accessing the root ( / ) directory on the FTP server. However, users who are allowed to upload to their home directories could then upload executable files that compromise the security of the server.
The default Red Hat configuration allows real users to delete files in their home directories. It does not allow anonymous users to delete files.
# Default umask for local users is 077. You may wish to change this to 022, # if your users expect that (022 is used by most other ftpds) local_umask=022
Without this umask command (see Chapter 06 ), uploaded files have read and write permissions, limited to the owner of the file. With this command, all users have at least read permissions to uploaded files.
# Uncomment this to allow the anonymous FTP user to upload files. This only # has an effect if the above global write enable is activated. Also, you will # obviously need to create a directory writable by the FTP user. #anon_upload_enable=YES
Sometimes, you want to allow anonymous users to upload to your FTP server. While you risk having users overload the partition with the /var filesystem, you can limit this risk by mounting /var on a separate partition, as discussed in Chapter 07 . As we describe later in our discussion of anonymous servers, you ll need to set appropriate permissions for the directory where you accept uploads, such as /var/ftp/pub . Note that this setting is disabled in the default vsftpd.conf configuration file.
# Uncomment this if you want the anonymous FTP user to be able to create # new directories. #anon_mkdir_write_enable=YES
You can also let anonymous users create new directories wherever they have write permissions. Note the comment mark ( # ) in front of the command, which disables the setting; you d also need to add an anon_other_write_enable=YES line to let users actually write files to the new directories.
# Activate directory messages - messages given to remote users when they # go into a certain directory. dirmessage_enable=YES
By default, users are allowed to see messages in a .message file in different directories. When the user changes to that directory, the contents of the relevant .message file (or a filename specified by the message_file= filename command) are shown.
# Activate logging of uploads/downloads. xferlog_enable=YES
Normally, a record of uploads and downloads are stored in /var/log/vsftpd.log . You can specify a different file with the xferlog_file= filename command.
# Make sure PORT transfer connections originate from port 20 (ftp-data). connect_from_port_20=YES
Some FTP clients may require the previous command. Port 20 is one of the TCP/IP ports shown in /etc/services .
# If you want, you can arrange for uploaded anonymous files to be owned by # a different user. Note! Using "root" for uploaded files is not # recommended! #chown_uploads=YES #chown_username=whoever
The user who uploads a file does not have to own that file. For example, the following commands, slightly different from what you see in the vsftpd.conf file, would change ownership of any uploaded files to user mj:
chown_uploads=YES chown_username=mj
Next, we look at the standard log file location:
# You may override where the log file goes if you like. The default is shown # below. #xferlog_file=/var/log/vsftpd.log
Normally, vsFTP log files are stored in /var/log/vsftpd.log . You can change this to the location of your choice.
# If you want, you can have your log file in standard ftpd xferlog format xferlog_std_format=YES
This command enables the standard format for logging uploads and downloads to the FTP server, as used for WU-FTP. Try disabling this command by adding a # in front. Write this file, then set up a transfer from an FTP connection. Read the results in the /var/log/vsftpd.log file. The nonstandard vsFTP log format is more descriptive.
# You may change the default value for timing out an idle session. #idle_session_timeout=600
The vsFTP server regulates how long a user can sit idle while logged on. By default, it s 300 seconds. The previous command, if active, changes this period to 10 minutes.
# You may change the default value for timing out a data connection. #data_connection_timeout=120
Sometimes there are errors during a file transfer. If there is an error, the FTP client will try to reconnect . But there comes a point where it is better to restart the connection. The default period is 300 seconds; the previous command, if active, changes that to two minutes.
# It is recommended that you define on your system a unique user which the # ftp server can use as a totally isolated and unprivileged user. #nopriv_user=ftpsecure
You can set up a special unprivileged user, ftpsecure , by enabling the previous command. If you do, make sure the user exits in /etc/passwd .
 |
You should set up ftpsecure almost as a guest type user. Once configured, all users that connect to your FTP server get the ftpsecure username. If you don t want users to log in directly to your computer, you can change the associated entry in /etc/password to set up /sbin/ nologin as the default shell:
ftpsecure:x:601:601::/home/ftpsecure:/sbin/nologin
| |
The following command allows less capable FTP clients to cancel a download without hanging.
# Enable this and the server will recognise asynchronous ABOR requests. Not # recommended for security (the code is non-trivial). Not enabling it, # however, may confuse older FTP clients. #async_abor_enable=YES
However, this setting is not needed for the regular command-line FTP client described earlier in this chapter.
# By default the server will pretend to allow ASCII mode but in fact ignore # the request. Turn on the below options to have the server actually do ASCII # mangling on files when in ASCII mode. # Beware that turning on ascii_download_enable enables malicious remote parties # to consume your I/O resources, by issuing the command "SIZE /big/file" in # ASCII mode. # These ASCII options are split into upload and download because you may wish # to enable ASCII uploads (to prevent uploaded scripts etc. from breaking), # without the DoS risk of SIZE and ASCII downloads. ASCII mangling should be # on the client anyway.. #ascii_upload_enable=YES #ascii_download_enable=YES
If you need to transfer files in ASCII mode, enable one or both of the previous ascii " commands. It should rarely be necessary, even for text files, unless you need to preserve certain types of formatting.
# You may fully customise the login banner string: #ftpd_banner=Welcome to blah FTP service.
You can configure the previous ftpd_banner message for users before they log in. For example, you might change the message as follows if you only want anonymous logins:
# ftp_banner=Welcome. Type ftp at the prompt for an anonymous login.
Sometimes crackers will attempt something similar to the ping of death described in Chapter 22 on your FTP server.
# You may specify a file of disallowed anonymous e-mail addresses. Apparently # useful for combatting certain DoS attacks. #deny_email_enable=YES # (default follows) #banned_email_file=/etc/vsftpd.banned_emails
If you enable both of the previous commands, you can create a list of anonymous passwords in /etc/vsftpd.banned_emails that aren t allowed access. This can deny access to crackers who use automated tools to try to bring down your FTP server.
# You may specify an explicit list of local users to chroot() to their home # directory. If chroot_local_user is YES, then this list becomes a list of # users to NOT chroot(). #chroot_list_enable=YES # (default follows) #chroot_list_file=/etc/vsftpd.chroot_list
If you activated chroot_list_enable=YES , you can configure a group of users who see their home directory as the root ( / ) directory in /etc/vsftpd.chroot_list . If you also configure chroot_local_user=YES , the effect of the list in /etc/vsftpd.chroot_list is reversed .
# You may activate the "-R" option to the builtin ls. This is disabled by # default to avoid remote users being able to cause excessive I/O on large # sites. However, some broken FTP clients such as "ncftp" and "mirror" assume # the presence of the "-R" option, so there is a strong case for enabling it. #ls_recurse_enable=YES
If you activate the previous command, FTP clients can run the ls -R command on any available directory, which allows users to see the contents of subdirectories. However, this is disabled by default; a user who is logged into an FTP server multiple times could create a large load by running ls -R on all sessions.
pam_service_name=vsftpd
The pam_service_name lists the Pluggable Authentication Module (PAM) file associated with vsFTP. For more information on PAM, see Chapter 22 .
userlist_enable=YES
This command makes vsFTP check for prohibited usernames in the /etc/vsftpd.user_list file.
#enable for standalone mode listen=YES
This allows vsFTP to be run as its own daemon, supported by the vsftpd script in the /etc/rc.d/ init.d directory. Otherwise, you could run vsFTP as a xinetd script described in Chapter 23 .
EAN: 2147483647
Pages: 220