ProFTPD is a weakness for the Wu-FTP was developed, in addition to improved security, but also a lot of Wu-FTP with no features, can Stand-alone, xinetd mode and so on.
ProFTP Wu-FTP has become the most popular after the FTP server software, more and more sites use it to build safe and efficient FTP site, ProFTP easy to configure, and MySQL, Quota modules to choose from, you can use them the perfect combinationto achieve non-system management and user account restrictions on the disk.
A, ProFTPD service security risks facing the
Security risks faced by ProFTPD services include: buffer overflow attacks (Buffer Overflow), data sniffing and anonymous access defects.
1, buffer overflow attacks
For a long time, buffer overflows have become a problem in the computer system.Buffer overflow vulnerability using the computer to attack the most famous case is the Morris worm, took place in November 1988.But even if the harm is well known, the buffer overflow is still an important means of the invasion.
The concept of buffer overflow: buffer overflow is like to one hundred kilograms of goods can only be loaded into a container ten kilograms.Is a buffer overflow vulnerability has troubled security experts 30 years of problems.In short, it is a result of the programming mechanism, appear in the software memory error.Such memory error makes a hacker to run malicious code to undermine the system to run properly, or even get control of the entire system.
2, data sniffing
FTP is the traditional network service program, in essence, is unsafe, because they are transmitted over the network in clear text passwords and data, with ulterior motives are very easy to intercept the passwords and data.Moreover, these security authentication service program also has its weaknesses, and that is very easy to be a "middleman" (man-in-the-middle) attacks in this way.
The so-called "middleman" in the attack, is the "middleman" posing as the real server to the server to receive your data, and then pretend to pass you the data the real server.Server and data transfer between your being a "middleman" tampered with after after changing hands, there will be a very serious problem.The main methods of capture these passwords to brute force.In addition to use sniffer programs to monitor network packets capture FTP session information beginning, root password can be easily intercepted.
3. Anonymous access defect
Anonymous FTP service in which access method is widely supported, but not really as Anonymous FTP authentication, so it is easy for intruders to provide an access channel, with buffer overflow attacks, can cause very serious consequences.
4. Denial of service attacks
Denial of service is a low-tech, but the attack was the attack effect, by this attack, server or network device does not work for a long time to provide services, and network communication protocol itself because of some inherent flaws, it is difficult to propose a lineeffective solution.We need to guard against denial of service attack to deploy from the overall defense strategy of denial of service attacks, a variety of strategies to prevent linkage, the denial of service attack to minimize the harm.
Second, strengthening ProFTPD server
1. Upgraded version
ProFTPD upgrade the old version because earlier versions of ProFTPD vulnerabilities exist.For a new configuration of the ProFTPD servers using the latest stable version is the most sensible choice, you can download at its official website to compile the source code.
2. ProFTPD run with xinetd
ProFTPD can Stand-alone, xinetd two modes, when the user account is relatively small and often need to connect to ProFTPD server recommended xinetd mode.ProFTPD can be run using xinetd effectively prevent DoS attacks.
From the traditional concept of daemons can be seen that the system be adopted for each service must be running on a port to connect a monitor daemon that occur, this usually means a waste of resources.To solve this problem, some Linux introduced a "network daemon service program" concept.
Redhat Linux 8.0 later used network daemons are xinted (eXtended InterNET daemon).And stand-alone mode, also known as compared to xinted mode Internet Super-Server (super server).
xinetd can simultaneously monitor the port number specified in the acceptance of user requests, he can request the user port, the boot process of different network services to handle the user request.Xinetd can be started as a management service management server, which decided to request a client to the procedure, and then start the appropriate daemon.xinetd mode works shown in Figure 1.
Figure 1 xinetd mode network service
And compared to stand-alone mode, the system does not want to process each network service ports are listening their services.Xinetd to run a single service can listen on all ports, thus reducing the overhead to protect system resources.But for access to large, often concurrent access, xinetd want to frequent the process of starting a network service, it will cause system performance degradation.Look at service delivery system for the Linux model approach that can be used in the Linux pstree command line command to see the two different ways to start network services.
xinetd provides functionality similar to inetd + tcp_wrapper, but stronger and more secure.Can effectively prevent the denial of service attacks (Denial of Services):
1, limiting the number of processes running simultaneously.
Instances by setting the option to set the number of concurrent processes running simultaneously:
instances = 20
When the server processes the requested number of connections reached 20 when, xinetd will stop accepting more part of the connection request.Until the requested number of connections below the set value so far.
2. To limit a maximum number of connections IP address:
By limiting the maximum number of connections a host, thereby preventing a service exclusive to a host.
per_source = 5
Here you can connect each IP address to connect a single IP address number is 5.
3. Limit load.
xinetd can also use the limit load method to prevent denial of service attacks.With a float as the load factor, when the load reaches this number, when the service will be suspended up connection:
max_load = 2.8
The example above, when a system load of 2.8, all services will be suspended until the system load down to the set value or less.Note To use this option, the compiler when adding - with-loadavg, xinetd will only deal with max-load configuration options.Thereby overloading the system shut down some of the service process to achieve some denial of service attacks.
4. Limit the number of all servers (connection speed).xinetd can use the option to set the connection rate cps, the following example:
cps = 25 60
The first parameter that can handle the number of connections per second, if more than this number of connections after the incoming connection will be temporarily suspended processing; the second parameter indicates how many seconds after the stop processing continue to address the previously suspended connection.Start the server up to 25 connections, this number is reached to launch a new service will stop 60 seconds.During this period does not accept any requests.
Use xinetd run ProFTPD steps:
(1) Check the correct operation Province
Province to ensure that the case ProFTPD to run stand-alone mode, you can use "ps aux | grep proftpd" command to view the process number, then use the kill command to stop running.
(2) modify the configuration file
Modify / etc / proftpd.conf ServerType file option from the "standalone" to "inetd".
(3) the establishment of user groups
groupadd nogroup
(4) to create the configuration file / etc / xinetd.d / proftpd, the code is as follows:
service ftp
{
flags = REUSE socket_type = stream
instances = 30
cps = 25 60max_load = 3.0wait = no
user = root server =
/ Usr / local / sbin / proftpd
log_on_success = HOST PID
log_on_failure = HOST RECORD disable = no
}
(5) Restart xinetd configuration
killall-USR1 xinetd
(6) connect to the server using the command
You can use "ftp localhost" to connect the local server, if the connection is rejected, you can use the command:
tail-f / var / log / messages
See error message.