On the Web, anonymous FTP is a very popular service, commonly used in software download sites, software, websites, communication, anonymous FTP services to enhance the process of opening up security, we have some discussion on this issue.
The following is the setup of many sites from the past experience and proposed the formation. We think we can make individual
The site has different requirements set choice.
Set anonymous FTP
A. FTP daemon
Site must determine the current using the latest version of the FTP daemon.
B set anonymous FTP directory
Anonymous ftp root directory (~ ftp) and its subdirectories for the ftp account holders can not, or the same group with the ftp account. This is
General common configuration problem. If these directories are ftp or ftp account owned by the same group, they did not do a good job to prevent the write protection, in which the intruder may increase the file (for example:. Rhosts file) or modify other files. Many sites? City, indicating that coat Xiong oot account. Allow anonymous FTP root directory and subdirectories owned by root, their ethnic (group) for the system? ⑾ Decoding ù Ai ∪? Such as chmod 0755), so that only root has write power, which can help you maintain the FTP services, security? ?
The following is an anonymous ftp directory to set an example:
drwxr-xr-x 7 root system 512 Mar 1 15:17. /
drwxr-xr-x 25 root system 512 Jan 4 11:30 ... ... /
drwxr-xr-x 2 root system 512 Dec 20 15:43 bin /
drwxr-xr-x 2 root system 512 Mar 12 16:23 etc /
drwxr-xr-x 10 root system 512 Jun 5 10:54 pub /
All the files and link libraries, especially those using FTP daemon and those in ~ ftp / bin and ~ ftp / etc in the file should look like the example above the directory to do the same protection. In addition to these files and link libraries should not be ftp account or ftp account owned by the same group, but also to prevent the write.
We strongly recommend that sites do not use the system / etc / passwd as ~ ftp / etc directory or the system password file / etc / group as ~ ftp / etc directory in the group file. In the ~ ftp / etc directory to place these files will cause the intruder to obtain them. These documents are available from the set and not used for access control.
We recommend you to ~ ftp / etc / passwd and ~ ftp / etc / group file to use instead of. These files must be owned by the root. DIR command will use this instead of the file to display the file and directory owner and group name. Site to determine ~ / ftp / etc / passwd file does not contain any system / etc / passwd file the same account name. These files should contain only need to display the FTP files and directory hierarchy of the owner and their group name. In addition, to determine the password field is "finishing" before. For example, use "*" to replace the password field.
The following is the cert in the anonymous ftp password file example
ssphwg: *: 3144:20: Site Specific Policy Handbook Working Group::
cops: *: 3271:20: COPS Distribution::
cert: *: 9920:20: CERT::
tools: *: 9921:20: CERT Tools::
ftp: *: 9922:90: Anonymous FTP::
nist: *: 9923:90: NIST Files::
The following cert files in the anonymous ftp example group
cert: *: 20:
ftp: *: 90:
. In your anonymous ftp directory provide written
To an anonymous ftp service allows users to store files is a risk exists. We strongly advise not to automatically create a web site upload directory, unless it is considered the associated risks. CERT / CC has received many reports of events using the upload directory caused the illegal transfer of copyright software or exchange of username and password information of the event. Also received a malicious file to the irrigation system caused denialof service problems reported.
This section on the use of three methods to solve this problem. The first method is to use a modified off the FTP daemon. The second method is to provide a specific directory to write restrictions. The third method is to use a separate directory.
By the modified FTP daemon
If your site plans to provide directory used for file upload, we recommend the use of by the modified FTP daemon on the file upload directory to do access control. This is to avoid unnecessary best way to write the region. Here are some suggestions:
1. Limit the uploaded file can not be accessed, so after testing by the system administrator, add As for the appropriate place for people to download.
2. Limit the size of each line to upload data.
3. In accordance with existing disk size limits the amount of data transfer.
4. Increase the log records to discover inappropriate use of advance.
If you want to modify the FTP daemon, you should be able to get the code from the manufacturer, or you can obtain from the following locations open source FTP program:
wuarchive.wustl.edu ~ ftp / packages / wuarchive-ftpd
ftp.uu.net ~ ftp / systems / unix / bsd-sources / libexec / ftpd
gatekeeper.dec.com ~ ftp / pub / DEC / gwtools / ftpd.tar.Z
Not formally referred to the FTP daemon to do the testing, evaluation or endorsement. What FTP daemon to use by each user or organization is responsible for decisions, CERT / CC recommends that each authority to use these programs before you install, do a thorough evaluation.
Use the directory protection
If you want to upload to your FTP stand to provide the services, and you do not find a way to modify the FTP daemon, we can use more complex directory structure to control access. This method requires advance planning and can not be 100% FTP can be written to prevent improper use of the region was, but many stations still use this method of FTP.
In order to protect the top of the directory (~ ftp / incoming), we only give anonymous users access the directory permissions (chmod 751 ~ ftp / incoming). This action will allow users to change the directory location (cd), but does not allow users to view the directory contents. Ex: drwxr-x - x 4 root system 512 Jun 11 13:29 incoming /
In the ~ ftp / incoming using some directory name you allow them to upload only those who know. In order to let other people is not easy to guess the directory name, we can set password rules to set the directory name. Please do not use this example of the directory name (to avoid are people who find your directory name, and upload files) drwxr-x-wx 10 root system 512 Jun 11 13:54 jAjwUth2 /
drwxr-x-wx 10 root system 512 Jun 11 13:54 MhaLL-iF /
Very important point is that once the directory name to be intentionally or unintentionally leak out, then this method would no protection. As long as the directory name is most people know, you can not protect those who want to limit the use of the area. If the directory name is you know, you have to choose to remove or change that directory name.
Use only one hard drive
If you want to upload to your FTP stand to provide the services, and you do not find a way to modify the FTP daemon, you can upload the information of all concentrated in a single link (mount) in ~ ftp / incoming on the file system . If I can, to a separate hard disk hang (mount) in ~ ftp / incoming on. System administrators should continue to view this directory (~ ftp / incoming), so the directory can be uploaded to know whether there is an open question.
Restrict FTP user directory
Anonymous FTP users can be well restricted only within the scope of the provisions of the directory, but the formal default FTP user will not be restricted, so he is free in the root directory, system directory, a directory of other users to read Some allow other users to read documents.
How can the user to specify the same restrictions as the anonymous user in their own directory? Here's our red hat and wu-ftp as an example to do an introduction.
1 to create a group with groupadd command, the general could use the ftp group, or any group name.
----- Related command: groupadd ftpuser
----- Related documents: / etc / group
----- Help: man groupadd
2 Create a user, such as testuser, the user can set up adduser command. If you have previously established a testuser the user can directly edit the / etc / passwd file to the user to ftpuser this group.
----- Related commands: adduser testuser-g ftpuser
----- Related documents: / etc / passwd
----- Help: man adduser
3 modify / etc / ftpaccess file, adding guestgroup definition: guestgroup ftpuser I was such a change, and added the last 5 rows compress yes all
tar yes all
chmod no anonymous
delete no anonymous
overwrite no anonymous
rename no anonymous
chmod yes guest
delete yes guest
overwrite yes guest
rename yes guest
guestgroup ftpuser
In addition to Canada guestgroup ftpuser this line, the other four lines should be added, otherwise the user after landing, although the user can not achieve the purpose of return to parent directory, but can only upload, can not overwrite, delete files!
----- Related command: vi / etc / ftpaccess
----- Related documents: / etc / ftpaccess
----- Help: man ftpaccess, man chroot
4 to the user's root directory copy the necessary files, copy ftp server that comes with directory, the / home / ftp / under the bin, lib copy two directories to the user's root directory, because some commands (mainly ls) need Lib support, or not listing of directories and files.
----- Related command: cp-rf / home / ftp / lib / home / testuser; cp-rf / home / ftp / bin / home / testuser
5 Also do not forget to turn off the user's telnet right, otherwise we waste a oh. How do not allow users to telnet? Is simple: in / etc / shells Riga line / dev / null, then you can directly edit / etc / passwd file, the user's shell set to / dev / null on it.
----- Related command: vi / etc / passwd
This step can be created in step 2, when a user first well.
----- Related command: adduser testuser-g ftpuser-s / dev / null
Little experience: as long as the / home / ftp lib directory under the bin and cp to / etc / skel directory, after the new user will automatically CP bin and lib directory to the user directory, but you can also add public_html directory and cgi -bin directory.
After these settings, testuser the user all the FTP actions will be limited to his / home / testuser directory.